Setting Up Single Sign On (SSO) with Lead Liaison

Here are the steps to take to use SSO with Lead Liaison. Please consult with your Lead Liaison Representative before continuing with SSO integration as collaboration from Lead Liaison is required.

Step 1: Provide IdP Metadata to Lead Liaison

Provide your IdP metadata to Lead Liaison. You should provide a file similar to the one below.

<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" entityID="https://byuidp.byu.edu/idp/shibboleth">
    <IDPSSODescriptor errorURL="http://it.byu.edu/helpdesk/index.shtml" protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
        <Extensions>
            <shibmd:Scope regexp="false">byu.edu</shibmd:Scope>
            <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
            <mdui:DisplayName xml:lang="en">Brigham Young University</mdui:DisplayName>
            <mdui:InformationURL xml:lang="en">http://it.byu.edu/index.shtml</mdui:InformationURL>
            <mdui:Logo height="64" width="85" xml:lang="en">https://byuidp.byu.edu/idp/images/byulogo.jpg</mdui:Logo>
            </mdui:UIInfo>
        </Extensions>
        <KeyDescriptor>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
MIIDJDCCAgygAwIBAgIVAM7rDFYiAD7ejQynyojPagGeGUuGMA0GCSqGSIb3DQEB
BQUAMBkxFzAVBgNVBAMTDmZpdWlkcC5maXUuZWR1MB4XDTEyMDMxMzEzNTEzNVoX
DTMyMDMxMzE0NTEzNVowGTEXMBUGA1UEAxMOZml1aWRwLmZpdS5lZHUwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnubM4QbTQQYvUMNGlVB1uO4xwDlcy
9tyXYqE4sjAFu/Fqjv+C4IkDD1BZy+pI+glAWgftq9Vox/dvC1oMcfuhSxAWB7st
+aBlKusubh7UAQs+2lym/x0i4E30OMrG2MAcO9pZoGJT+xiOTgba+Vd977KzZdOv
o2wAvABy9dJmH+TboHR7w8AOgzQ/QDqOlTq75uMG5fuZhtRAULUKUsMG7niWQCXe
Yf3zGE4hStEXos17DnFWzP7S+BZtaPShkPupLR7A23ZiEg8UMRNtdAzXl5ljbrus
A6UgnbYslO3NTinTUlRzeB79P7iv3tGujsKEZBZM7jnbEaCnYOthhrwlAgMBAAGj
YzBhMEAGA1UdEQQ5MDeCDmZpdWlkcC5maXUuZWR1hiVodHRwczovL2ZpdWlkcC5m
aXUuZWR1L2lkcC9zaGliYm9sZXRoMB0GA1UdDgQWBBQ/EzTBahbswoM9gJhVbmdK
LzJsBjANBgkqhkiG9w0BAQUFAAOCAQEAE/oT8PSELMiKXo9QKG3YiHY5+2QxQBs2
hqUI3HpTrRCegfQMc8ymCp3nWU6MMa/R2JxPyekKHTCJyrBvYv8FT/sBPnRXXLHV
bfZk10puNnuILfkT8vsdd3fBJ1/dBWd2Aop5axWdPCse2zB8ChJ1ImrhCu8fhI1T
H4Rqr8AkOIuUXRvDvlOj6PUP6J1luFFcQZl5v+uREv5Pih8W5NhKY+ENPrFX2g59
iWZ7NojDxss/TtqsvGDbMHlt3PNg/FC6rHlcW9gH0qudXf1wLh8u+quX/7mGGvIv
FfPU6B1stKoyNoo42HbUm+KOc8S3L3yaxGZfWtL8kNhY0hSXrYI13w==
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        
        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://byuidp.byu.edu:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>
        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://byuidp.byu.edu:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>
                                   
        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://byuidp.byu.edu/idp/profile/Shibboleth/SSO"/>
        
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://byuidp.byu.edu/idp/profile/SAML2/POST/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://byuidp.byu.edu/idp/profile/SAML2/POST-SimpleSign/SSO"/>
        
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://byuidp.byu.edu/idp/profile/SAML2/Redirect/SSO"/>
    </IDPSSODescriptor>
    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
        <Extensions>
            <shibmd:Scope regexp="false">byu.edu</shibmd:Scope>
        </Extensions>
        <KeyDescriptor>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
MIIDJDCCAgygAwIBAgIVAM7rDFYiAD7ejQynyojPagGeGUuGMA0GCSqGSIb3DQEB
BQUAMBkxFzAVBgNVBAMTDmZpdWlkcC5maXUuZWR1MB4XDTEyMDMxMzEzNTEzNVoX
DTMyMDMxMzE0NTEzNVowGTEXMBUGA1UEAxMOZml1aWRwLmZpdS5lZHUwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnubM4QbTQQYvUMNGlVB1uO4xwDlcy
9tyXYqE4sjAFu/Fqjv+C4IkDD1BZy+pI+glAWgftq9Vox/dvC1oMcfuhSxAWB7st
+aBlKusubh7UAQs+2lym/x0i4E30OMrG2MAcO9pZoGJT+xiOTgba+Vd977KzZdOv
o2wAvABy9dJmH+TboHR7w8AOgzQ/QDqOlTq75uMG5fuZhtRAULUKUsMG7niWQCXe
Yf3zGE4hStEXos17DnFWzP7S+BZtaPShkPupLR7A23ZiEg8UMRNtdAzXl5ljbrus
A6UgnbYslO3NTinTUlRzeB79P7iv3tGujsKEZBZM7jnbEaCnYOthhrwlAgMBAAGj
YzBhMEAGA1UdEQQ5MDeCDmZpdWlkcC5maXUuZWR1hiVodHRwczovL2ZpdWlkcC5m
aXUuZWR1L2lkcC9zaGliYm9sZXRoMB0GA1UdDgQWBBQ/EzTBahbswoM9gJhVbmdK
LzJsBjANBgkqhkiG9w0BAQUFAAOCAQEAE/oT8PSELMiKXo9QKG3YiHY5+2QxQBs2
hqUI3HpTrRCegfQMc8ymCp3nWU6MMa/R2JxPyekKHTCJyrBvYv8FT/sBPnRXXLHV
bfZk10puNnuILfkT8vsdd3fBJ1/dBWd2Aop5axWdPCse2zB8ChJ1ImrhCu8fhI1T
H4Rqr8AkOIuUXRvDvlOj6PUP6J1luFFcQZl5v+uREv5Pih8W5NhKY+ENPrFX2g59
iWZ7NojDxss/TtqsvGDbMHlt3PNg/FC6rHlcW9gH0qudXf1wLh8u+quX/7mGGvIv
FfPU6B1stKoyNoo42HbUm+KOc8S3L3yaxGZfWtL8kNhY0hSXrYI13w==
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://byuidp.byu.edu:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
        
        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://byuidp.byu.edu:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>
        
        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        
    </AttributeAuthorityDescriptor>
<Organization>
        <OrganizationName xml:lang="en">Brigham Young University</OrganizationName>
        <OrganizationDisplayName xml:lang="en">Brigham Young University</OrganizationDisplayName>
        <OrganizationURL xml:lang="en">http://www.byu.edu</OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
    <GivenName>Shibboleth</GivenName>
    <SurName>Tech</SurName>
    <EmailAddress>idpadmins@byu.edu</EmailAddress>
</ContactPerson>
<ContactPerson contactType="support">
    <GivenName>Shibboleth</GivenName>
    <SurName>Support</SurName>
    <EmailAddress>idpadmins@byu.edu</EmailAddress>
</ContactPerson>
<ContactPerson contactType="administrative">
    <GivenName>Shibboleth</GivenName>
    <SurName>Admin</SurName>
    <EmailAddress>idpadmins@byu.edu</EmailAddress>
</ContactPerson>
    
</EntityDescriptor>

Step 2: Download Lead Liaison's IdP Metadata

A download URL will be provided to you once your IdP metadata has been provided to Lead Liaison and the service has been initially provisioned.

Example direct download: https://app.leadliaison.com/simplesaml/module.php/saml/sp/metadata.php/default-sp
Example access from web page: https://app.leadliaison.com/simplesaml/module.php/saml/sp/metadata.php/default-sp?output=xhtml

Step 3: Find IdP Initiated URL in your IdP Metadata, Provide to Lead Liaison for use in our Database

Find the Identity Provider Authentication (idp) initiated URL. In the below code, the URL we're using is highlighted.
This will be the URL to send the customer to after logging in through single sign on.

Step 4: Lead Liaison will add your IdP Metadata to Lead Liaison's Config File

Lead Liaison will copy the contents of your IdP metadata and paste it into the config script in SimpleSAMP php.

Step 5: Validate

Here's what the experience will look like:

https://byuidp.byu.edu/idp/profile/SAML2/POST/SSO?spentityid=https://staging.leadliaison.com/simplesaml/module.php/saml/sp/metadata.php/default-sp&RelayState=https://staging.leadliaison.com/saml-login.php

Step 5: Receive Array Values and Login

After a successful authentication the identity provider returns an array of values, which we use in our application to validate the user and sign them in.

Available Attributes to Send to Lead Liaison

There should be an array with the following attributes that Lead Liaison will use for each user. Each attribute is explained below:

first_name (optional): The Lead Liaison user's first name
last_name (optional): The Lead Liaison user's last name
email (required): The Lead Liaison user's email
login_name (optional): The Lead Liaison user's login name. If empty the system will use email as the login name
is_active (optional):

If empty then the user will be created and activated. An activation email will be sent to the user.
If not empty and has a value equals 0, then the user will be created but not actived and no activation email will be sent. A default error message will be shown.
If not empty and has a value not equal to 0, then the user will be created and activated. An activation email will be sent to the user.

sp_id (optional): The Lead Liaison Security Profile ID. If empty the system will use the default Security Profile ID per your company settings page, which is set to admin by default but can be changed. To assign a specific Security Profile use the ID of any of your Security Profiles. Get the ID from the edit Security Profile page (see screenshot below)
title (optional): The title of the user.

Notes:

When a successful authentication occurs and is forwarded to Lead Liaison our system will try to match the authentication to a Lead Liaison user (using the login name or email). If found, it will log the user into Lead Liaison.
If no user was found, then the system will check the setting to enable the customer to create new Lead Liaison users. The system checks the customer setting as well. If both settings are enabled, then the system will try to parse the attributes and create a Lead Liaison user; otherwise, an error message will occur.
Please integrate our metadata file to your backend system and provide us with the username/password that we can use to authenticate to your backend system. Make sure to provide the attributes above with the authentication process for our system to use.
We will test the implementation first on our staging environment before releasing to production so it is ready for your users.

Logging into Lead Liaison with Single Sign On

Go to the login page and click the link at the bottom to login with SSO.
Enter any email with your company's domain (yourdomain.com).
The user will be redirected to your company's servers for authentication. After being authenticated, the user will be redirected back to Lead Liaison.
If the authentication information matches a user in your Lead Liaison account, then the system will automatically log them in. However, if the authentication information does not match an existing Lead Liaison user, then this will automatically create a new Lead Liaison user with a Security Profile of "Marketing" (see screenshot below).
To change the Security Profile for new users navigate to Admin > Account > Settings > Single Sign-On and change the dropdown as shown below.
To enable creation of new users if they do not exist yet in Lead Liaison, navigate to Admin > Account > Settings > Single Sign-On and turn the switch off. The default setting is off.

Known Process Improvements

Cookie browser to automatically log authenticated user in each time.
Use subdomain for customers, such as byu.leadliaison.com, to know who the client is and automatically identify IdP based on client instead of reading domain value in email when customer is trying to login (like box.com example).

Testing on Staging

Tests can be run using Lead Liaison's staging environment: http://repository.leadliaison.com/leadliaison/Step2-Promote-from-Release-Server-to-Staging-Server.php