If desired, you can configure one or more Single Sign-On (SSO) targets for your Aviary site.
Currently, Aviary only supports SAML 2.0 protocols for SSO configuration. As we add supported protocols, we will update this page.
To configure a SAML 2.0 SSO connection, you will need to coordinate carefully with your SAML Identify Provider (IdP) to share Aviary's metadata URL, callback URL, and to configure the appropriate attributes that are released by your IdP to Aviary.
Create Authentication Configuration
In Aviary, navigate to your Organization side bar to find the Authentication Configuration page.
From there you will see a new page load and you can select the "Add Configuration" button. Because you can add more than one configuration to your site, you will be asked to create a name for this configuration and to provide the metadata URL (or upload the metadata XML) from your SAML IdP. The initial form will look like this:
Once you add the IdP Metadata URL or upload the IdP Metadata XML, Aviary will automatically fill in the IdP Metadata Settings. You can then select the "+" to the left of the IdP Metadata Settings to validate that they are accurate for your configuration. When you are satisfied, select "Create identify provider" button to create the configuration. You will be returned to the Authentication Configurations page and you will see your new configuration in the table. It is not enabled, yet.
Provide URLs to Your Identity Provider
You will now need to gather two values from Aviary to give to your IdP for this configuration:
Metadata URL. You'll find a link to the Metadata URL in the table:
You can click "Metadata" and it will load the metadata URL in your browser. You can copy that URL and send to your IdP.
2. Callback URL. You'll find a link to the Callback URL with a "copy" icon next to it in the table, as well. (See above). Copy the Callback URL and provide this to your IdP.
Once this has been completed, you can enable this configuration by selecting "Enable" in the table.
You can return to the table to edit your configuration settings at any time in the future as you negotiate with your IdP about which attributes are being released to Aviary and how Aviary maps those attributes (you can adjust the mappings in the IdP Metadata Settings of the configuration you just created).
Unique Identification, Attributes, and Metadata Settings
To successfully communicate with your IdP to map and store a user's information, Aviary needs to map the unique identifier that your IdP uses as well as the type of value to expect. You can do that in the Unique Identification section:
Aviary currently expects the following Attributes when negotiating with an IdP:
Aviary has a few default mappings that are already available for each attribute listed above. The default mappings are listed under each attribute label above. If the mapping you need is not present, then enter it into the text field and save the page. This will add your mapping to your configuration.
Testing and Login
Once you have configured and enabled your SSO endpoint, when any user comes to your site-specific login page they will see the option to Login using any of your enabled SSO endpoints. See image below for an example:
Users select "Login with XXX SSO" and this will begin them on the journey of authenticating with your IdP. If they are successful, the IdP will redirect the user to Aviary with the authentication confirmation and Aviary will register this authentication and allow the user access to the system.