SAML SSO Module

This module enables SAML 2.0 single sign-on authentication in Freescout for users. FreeScout works as a Service Provider (SP) and allows users from another system called Identity Provider (IdP) authenticate in FreeScout. This module can be used with any SAML 2.0 Identity Provider.

Notice: If you have any other non-official SAML module installed – remove it before installing the official one.

Requirements

IdP should be configured to return email address in NameID property. If IdP returns something else in NameID property the module will trying to find user email address in the following user attributes which may be sent by IdP: email, emailaddress, emailAddress, email_address or mail.

Signature Algorithm is RSA-SHA256.

Settings

Entity ID in some IdPs can be called “Issuer”.

This module does not perform Single Logout when a user logs out from FreeScout, as Identity Providers we’ve tested (Auth0, JumpCloud) do not properly support Single Logout and throw an error. Instead you can specify a regular logout URL of your IdP which logs users out (not a Single Logout URL). When a user logs out from FreeScout browser will be redirected to this URL.

IdP x509 Certificate field should not contain “—–BEGIN CERTIFICATE—–” or “—–END CERTIFICATE—–“, only what’s in between them.

IdP may require you to enter in it’s settings Service Provider’s ACS URL. Make sure that IdP accesses it via “HTTP POST” method (“HTTP Request” method is not supported).

Also IdP may require you to upload Service Provider’s Metadata. You can get your metadata via “SP Metadata” link. From there is can be copied and manually saved into “.xml” file for example.

When you enable Users Auto-Creation the following user fields can be mapped: first_name, last_name, job_title, phone.

If you’ve enabled “Force SAML Login” and want to show an ordinary login form, just add “saml=0” to the login page URL: /login?saml=0. If “Force SAML Login” option is disabled and you want to redirect users to SAML login, just add “saml=1” to the login page URL: /login?saml=1

Identity Providers (IdP) Configuration Examples

Auth0

Follow this instruction to enable SAML SSO in Auth0.

x509 certificate can be obtained in “Addon: SAML2 Web App » Application Callback URL” enter “ACS URL” from “Service Provider (SP)” section. Do not change anything in “Addon: SAML2 Web App » Settings”

If you want you can specify the following IdP Logout URL in the module’s settings: https://manage.auth0.com/logout

JumpCloud

SAMLSubject NameID: email
SAMLSubject NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Signature Algorithm: RSA-SHA256

Attributes Mapping:
firstname>>first_name
lastname>>last_name
jobTitle>>job_title

If you want you can specify the following IdP Logout URL in the module’s settings: https://console.jumpcloud.com/userconsole/logout

Azure

Make sure to enter the following “Authentication context” in SAML settings in the FreeScout: urn:oasis:names:tc:SAML:2.0:ac:classes:X509

See also these threads related to Azure on GitHub: #2088, #1985, #2097

Lifetime license for one FreeScout instance
Purchase
  • Version: 1.0.4
  • Required App Version: 1.8.13
  • License Period: Lifetime
  • Open Source: AGPL-3.0