Infos zum Start & Grundlagen
EinleitungOrganisation, Kanäle und MixesPosts, Karten & Content TypenRollen für NutzendeCommunity FunktionenMobile Apps & Web AppFunktions-& LeistungsbeschreibungTech StackSupportDatenschutz
Grundlage Datenschutzkonzept(e)NutzungsauswertungVerwaltung Zugangsdaten der NutzendenPersonenbezogene Daten und DatenkategorienInhalte in App und WebAuftragsdatenverarbeiterTOMsInformationssicherheit
Informationssicherheit bei tchopSicherheitsrichtlinie ISO27001 ZertifikatSicherer ZugangSchwachstellenanalyseRisikoanalyseKommunikationsmatrixApp Customization & Deployment
Bereitstellung AppsMobile App Deployment & Vertrieb
App CustomizationApp UpdatesSSO via SAMLSSO via Open ID ConnectAnalytics & Reporting
Grundlagen KPIsAnalytics DashboardProjektsteuerung
Arbeitspakete & TimelineEnablementLaunch & OnboardingBetriebsratBeispiele & VorlagenSonstiges
Feature RoadmapLanguages
EnglishSAML based SSO to tchop
This how-to guide explains how to connect SAML to tchop use management and backend.
- SAML based SSO to tchop
- Glossary
- Required fields from a client
- Metadata endpoint of Identity Provider (Client)
- Example of ADFS response
- Example of Auth0 response
- Metadata endpoint of Service Provider (tchop)
- Example of response
- Redirect URL need to be added in Identity Provider side (tchop)
- Mapping SAML response fields to tchop fields (Sample)
- tchop route documentation:
- Troubleshooting:
- tchop returns error code SAML top level signature is invalid for ADFS Identity Provider:
- tchop returns error code SAML top level signature is invalid for Azure AD Identity Provider:
Glossary
- SAML - Security Assertion Markup Language
- Identity Provider (IDP) - the client, side who provides access to list of users
- Service Provider (SP) - tchop, side who consumes/uses list of users
Required fields from a client
- Entity Id
(client)- Name of tchop connection in Identity Provider side, typically the value represents url to tchop organisation eghttps://welcome.tchop.io - Entry point
(client)- IPD entrypoint, eghttps://sts.nds.aok.de/adfs/ls/ - Certs
(client)- IDP's public signing certificates. The certs used to validate the signatures of the incoming SAML Responses from IDP to SP (client → tchop)
The client can independently find the necessary fields (entry point and certs) in or provide the Metadata url to us
Metadata endpoint of Identity Provider (Client)
The client endpoint generates a identity provider metadata document suitable for supplying to an service provider
‣
Example of ADFS response
‣
Example of Auth0 response
Metadata endpoint of Service Provider (tchop)
tchop endpoint generates a service provider metadata document suitable for supplying to an identity provider
Useful fields:
- X509Certificate
(tchop)- Public signing certificates - AssertionConsumerService
(tchop)- Callback url -
Client can extract “X509Certificate” and “AssertionConsumerService” directly from the metadata url forwarded by tchop but tchop can also provide the above 2 fields separately if needed.
Each tchop organisation has own metadata endpoint (if SAML is enabled): https://<TCHOP_DOMAIN>/api/webapp/sso/saml/metadata.xml?organisation=<ORGANISATION_SUBDOMAIN>
eg https://tchop.it/api/webapp/sso/saml/metadata.xml?organisation=aok_nds
‣
Example of response
Redirect URL need to be added in Identity Provider side (tchop)
Each tchop organisation has one callback url:
https://<TCHOP_DOMAIN>/api/webapp/sso/saml/callback?organisatio=<ORGANISATION_SUBDOMAIN>
eg: https://tchop.it/api/webapp/sso/saml/callback?organisation=aok_nds
Mapping SAML response fields to tchop fields (Sample)
Not required for setting up the connection between tchop and client SSO. This is just for information purpose.
email:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddresshttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
sub (external user id):
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
screen name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
tchop route documentation:
- https://tchop-staging.com/api/docs#/webapp/SamlController_samlCallback
- https://tchop-staging.com/api/docs#/webapp/SamlController_samlLogin
- https://tchop-staging.com/api/docs#/webapp/SamlController_getMetadata
Troubleshooting:
‣
tchop returns error code SAML top level signature is invalid for ADFS Identity Provider:
‣
tchop returns error code SAML top level signature is invalid for Azure AD Identity Provider:
← Previous
Add link here
Next →
Add link here
- SAML based SSO to tchop
- Glossary
- Required fields from a client
- Metadata endpoint of Identity Provider (Client)
- Example of ADFS response
- Example of Auth0 response
- Metadata endpoint of Service Provider (tchop)
- Example of response
- Redirect URL need to be added in Identity Provider side (tchop)
- Mapping SAML response fields to tchop fields (Sample)
- tchop route documentation:
- Troubleshooting:
- tchop returns error code SAML top level signature is invalid for ADFS Identity Provider:
- tchop returns error code SAML top level signature is invalid for Azure AD Identity Provider: