SAML Single Sign On (SSO) Configuration
About SAML
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties. It is an XML-based markup language that enables single sign-on (SSO) for web applications.
RedFlag supports Service Provider (SP)-initiated SAML only. We do not support Identity Provider (IdP)-initiated SAML.
In SP-initiated SAML:
- The Service Provider (RedFlag) starts the authentication process by sending a SAML request to the Identity Provider (IdP).
- This initiates the login process directly within the application the user is trying to access, rather than starting from the IdP’s login page.
- When a user attempts to access a protected resource in RedFlag, they are automatically redirected to the IdP for authentication.
- After successful authentication, the user is redirected back to RedFlag with their verified identity.
Enabling SAML SSO
Setting up SAML SSO for your RedFlag account requires backend configuration changes.
To enable SAML SSO:
- We will activate SAML SSO for your account on the RedFlag backend.
- Important: Once SAML SSO is enabled, existing users who were added directly to RedFlag will no longer be able to log in with their current credentials.
- After activation, user access and management will be handled through your chosen SAML identity provider. This means any user updates (such as adding or removing users) will need to be managed via your SAML provider, not within RedFlag.
SAML Configuration
To configure SAML with RedFlag, we require the following from the client:
- SAML Metadata File
- If a metadata file is unavailable, please provide:
- Entity ID
- Single Sign-On (SSO) URL
- Single Sign-Out (SLO) URL
- Certificate
- If a metadata file is unavailable, please provide:
After receiving this information, RedFlag will:
- Set up the SAML configuration on our side.
- Provide you with:
- Our SAML Metadata (in a ZIP file)
- Your Tenant Name
- A unique Sign-On URL (e.g.,
https://us.redflaghub.com/?saml=tenantname)
Assertion Requirements
When sending the SAML assertion to RedFlag, the following attributes are required:
- username – The user’s unique identifier (can be a username, user ID, or email address)
- firstname – User’s first name.
- lastname – User’s last name.
- role – User’s assigned role (see the Roles section below).
- email – User’s email address.
- tenantid – Must contain the value:
"[tenantname]"(provided during configuration)
Roles
The following roles can be assigned to users via the role attribute:
- Super Administrator (highest-level access)
- If using Microsoft Entra ID, use Super_Administrator as the value.
- IT Administrator
- Administrator
- Editor
If you have users who are Editors, users who need access to 2-way chat or users who need access to restricted folders, once the user has logged into RedFlag, a super admin will need to assign access for these features by clicking on the user profile row in RedFlag to edit.
App Registration
When using the SAML route for Single Sign-On (SSO), your organization creates its own app registration in the identity provider of your choice. As part of that setup, you will specify the roles that must be assigned to your users in order for them to log in with SSO. These role assignments are passed to RedFlag during login, enabling us to provision users just-in-time based on their assignments.
Your IT team is responsible for defining and managing the role assignments within your identity provider. RedFlag relies on these assignments to correctly authorize and provision user access.
If you choose the Entra OpenID Connect (OIDC) option instead, you do not need to create your own app registration. RedFlag already provides an app with the required permissions pre-configured.
We do not provide a RedFlag-specific permissions list for SAML because the configuration is entirely controlled by your SAML provider. The steps and permissions depend on your organization’s security policies and the roles you decide to pass through to RedFlag.
Multi-Tenant Access
If users require access to multiple locations within RedFlag, you can include multiple tenantid values in the SAML assertion.
- To specify multiple tenants, list the tenantid values in the
tenantidattribute, separated by commas. - For example:
tenantid = "pocketstop1,pocketstop2"
To log in, the user can use the SAML login URL for any of the specified tenants:
https://us.redflaghub.com/?saml=pocketstop1https://us.redflaghub.com/?saml=pocketstop2
Once logged in, the user can switch between locations within the RedFlag platform.
If the set of tenants a user has access to changes, RedFlag will automatically deprovision and reprovision access based on the updated tenantid values in the next SAML assertion upon login.
You cannot connect multiple SAML identity providers (IdPs) to a single RedFlag location. Each location is configured with one SAML IdP for authentication. However, you can allow users to access multiple locations by including multiple tenant IDs in the SAML assertion from your IdP. This means:
- One SAML IdP per location.
- Users can access multiple locations if your SAML assertion includes multiple tenant IDs.
- You cannot mix or chain multiple IdPs for a single location.