Setting up Single Sign-On (SSO) will require you accessing some technical information from the admin settings of your Identity Provider, you will likely need the assistance of the team that manages that system to get that information. 


Alongside Google, we support the following Identity Providers, click for the relevant guide:


1. Creating an application within Google to store ISMS.online SSO information

Set up an application for 


 by applying the following settings in your Google Admin Console: 

If you have already set a custom Subdomain for your please use the same as the <organisation> place holder below.

  • The Assertion Consumer Service (ACS) URL (this is the URL where ISMS.online will receive the response from the identity provider): 

                                https://<ORGANISATION>.isms.online/sso/saml2 


  • The Entity ID of the live instance of ISMS.online: 

                                https://<ORGANISATION>.isms.online/sso/saml2/sp


For customers in the APAC region please use the following settings:

  • The Assertion Consumer Service (ACS) URL (this is the URL where ISMS.online will receive the response from the identity provider):

                                https://<ORGANISATION>.r2.isms.online/sso/saml2 


  • The Entity ID of the live instance of ISMS.online: 

                                https://<ORGANISATION>.r2.isms.online/sso/saml2/sp


For customers in the North American region please use the following settings:

  • The Assertion Consumer Service (ACS) URL (this is the URL where ISMS.online will receive the response from the identity provider):

                                https://<ORGANISATION>.r3.isms.online/sso/saml2 


  • The Entity ID of the live instance of ISMS.online: 

                                https://<ORGANISATION>.r3.isms.online/sso/saml2/sp


For customers in the European Union (EU) region please use the following settings:

  • The Assertion Consumer Service (ACS) URL (this is the URL where ISMS.online will receive the response from the identity provider):

                                https://<ORGANISATION>.r4.isms.online/sso/saml2 


  • The Entity ID of the live instance of ISMS.online: 

                                https://<ORGANISATION>.r4.isms.online/sso/saml2/sp


Sharing information about your identity provider 

To begin the setup of SSO for your organisation, the ISMS.online support team needs the following information from your Identity Provider, examples for Google are below, where the unique part of the URL will be is represented as ''...''

  • Your required Subdomain(the <Organisation> placeholder above).
    • If you have already set up a custom subdomain in the platform, please use that.
  • The SSO target URL of your identity provider (this is the URL that your identity provider is accessed at.):



  • The certificate of your identity provider in Base64
    • This is usually downloaded within your Identity Provider Settings

Please note, any requests should come initially from a Organisation Admin

Once you have that, you can either email it to support@isms.online, or reach out to us via the live chat.


How to find the identity provider information

  1. From the Admin console Home page, go to Apps > SAML apps.
  2. Click Add (+ symbol) in the bottom right.
  3. Click Set up my own custom app.
    The Google IDP Information window opens and the SSO URL and Entity ID fields automatically populate.
  4. Get the setup information needed by the service provider using one of these methods:
    -Copy the SSO URL and Entity ID and download the Certificate in Base 64.
    -Download the IDP metadata.

Connecting your identity provider to the ISMS.online live environment 

Once we have received information about your identity provider, we will inform you that your sub-domain for the ISMS.online live environment is accessible. 


This will allow you to configure access to the ISMS.online live environment, by applying the following settings in your Google Admin Console: 

  • The Assertion Consumer Service (ACS) URL (this is the URL where ISMS.online will receive the response from the identity provider): 

https://<ORGANISATION>.isms.online/sso/saml2 


  • The Entity ID of the live instance of ISMS.online: 

https://<ORGANISATION>.isms.online/sso/saml2/sp 


Mapping Attributes


The name identifier format of persistent must be used 


These attribute mappings need to be setup:  


 

SAML attribute name

What it needs to map to in the identity provider 

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname 

First name 


http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname 

Last name 


http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Email - For existing users, this should be the same email address that is used to login to ISMS.online.



Accessing ISMS.online via SSO 

Organisations using SSO will access ISMS.online via a sub-domain. This is a change to how you access ISMS.online at the moment. 


Rather than going to platform.isms.online, once SSO is activated you will be able to access the system at:  


https://<ORGANISATION>.isms.online 


This ensures that we can always redirect your users to the correct identity provider when they sign in or access the system for the first time. 



To note:

  • Either the assertion, response or the assertion and response must be signed 
  • SHA-1 & SHA-256 algorithms are supported for the signature and digest. We recommend the use of SHA-256 as best practice 
  • SSO can be initiated from the service provider or the identity provider 
  • Encrypted assertions are not supported 


If you have any further questions following the completion of your setup, please don’t hesitate to contact the ISMS.online support team at support@isms.online


Note: For further information regarding Google, see here