Step 1: Provide Enable with your Identity Provider EntityID and single sign-on URL
The Enable Trading Programs platform can integrate with other SAML Identity Providers. In order to configure single sign-on with another provider, Enable's system administrators will need to capture some details about your Identity Provider. Please provide your Customer Success team with the 'Identity provider EntityID', the 'Identity provider single sign-on URL', and the URL to which users should be redirected when logging out of Enable Trading Programs. This will allow Enable to configure SSO appropriately for you.
Step 2: Provide the Identity Provider public certificate
Through your Identity Provider administration area you should be able to download the public certificate. Please provide this certificate to your Customer Success team, and we will upload this to your Enable Trading Programs configuration area.
Please note — you may need to zip this file to avoid emails being marked by spam filters.
Step 3: Relying party trust configuration
Once the configuration has been set up within Trading Programs, a member of the Customer Success team will provide the details required to set up the 'Relying party trust' within your Identity Provider administration area. These details will consist of useful URLs and a public certificate. For example:
- Trading Programs client service metadata · https://admin.deal-track.com/Client/ClientName/Sso/Saml2
- EntityID · https://admin.deal-track.com/
- URL for user initiated Single Sign-On · https://admin.deal-track.com/Client/ClientName/Sso/Saml2/SignIn
- URL the identity provider should send sign-on responses to · https://admin.deal-track.com/Client/ClientName/Sso/Saml2/Acs
- URL the identity provider should send logout requests to · https://admin.deal-track.com/Client/ClientName/Sso/Saml2/Logout
- Public certificate · Attached as ‘DealTrack-SAML2-Public-Certificate LIVE.cer’
These details should be enough to configure Enable Trading Programs as an application or relying party in your SSO Identity Provider. Exact steps to complete the configuration may vary, and your Customer Success team will be happy to work with you to complete the configuration.
Your Identity Provider may require URLs to be provided for the 'Sign-on URL', 'Recipient URL' and/or 'Destination URL' for directing users to the Enable Trading Programs application. In those cases, the Acs endpoint (e.g. https://admin.deal-track.com/Client/ClientName/Sso/Saml2/Acs) should be used. Some Identity Providers may allow you to enter the URL once and opt to use the entered value for all three fields.
The Logout URL can be used to ensure that users are signed out of Enable Trading Programs when they sign out of your Identity Provider. Your Identity Provider may allow you to disable this behavior, but the Logout URL is available in Enable Trading Programs if you wish to use it.
Your Identity Provider may require you to configure an audience restriction. This should be set to your Trading Programs instance base URL, e.g. https://admin.deal-track.com/.
Outgoing claims configuration
When your Identity Provider sends authentication information to the Enable Trading Programs application, it includes details about who the user is. These details are represented as 'claims'. Trading Programs always maps the Identity Provider 'Name ID' claim type to the user's email address in Enable Apps.
In your Identity Provider configuration, make sure that the 'Name ID' claim type is populated with the user's email address for the Enable Trading Programs application configuration. It is important that the email address is populated with an email address that maps to a user's email address in Enable Trading Programs so that the single sign-on can identify the user from the identity claim.