Custom SSO Implementation Guide

supported sso integrations shi one leverages auth0, a secure and industry leading identity platform, for user management and single sign on integration as such, we support a variety of sso integration options including saml open id connect google g suite microsoft azure ad adfs active directory / ldap ping federate shi account identity by default, shi one is available out of the box with a standard microsoft azure ad integration, google g suite integration, integration with your shi com based identity, and a non sso based username and password option starting the process to request a custom sso integration, you must submit a service request in shi one all shi one admins within your company are automatically able to submit service requests related to the shi one platform to submit the request sign into shi one https //one shi com navigate to support center > new request > service request select custom sso integration request as the sub issue type all the following information must be included in your sso integration request ticket a valid email address must be included in the claim your confirmation that the shi one application acts only as the service provider, not the identity provider your confirmation that, as the identity provider, you are responsible for validation of all email addresses click submit saml shi requires the following pieces of information to configure a custom saml integration list of approved idp domains ex contoso com saml sign in url x509 signing certificate pingfederate shi requires the following pieces of information to configure a pingfederate integration sso (sign in) url the endpoint where our application will send saml authentication requests example https //pingfederate example com x 509 signing certificate your pingfederate identity provider's (idp) public certificate used to sign saml assertions this may require the x 509 integration kit depending on your version of your idp server https //support pingidentity com/s/marketplace integration/a7i1w0000004icwqam/x509 integration kit please provide it in pem or cer format saml metadata (optional but recommended) if available, please share your idp's metadata xml file to streamline the configuration process assertion details a sample saml assertion to verify the included attributes, especially the nameid verifying nameid format for our primary means of integration, it's crucial that the nameid in the saml assertion contains the user's email address here's how you can verify this access pingfederate administrative console to check for your name identifier https //support pingidentity com/s/article/pingone how to configure name identifier review attribute mapping ensure that the nameid is mapped to the user's email attribute provide a sample saml assertion this will allow us to confirm the nameid format and other attributes if the nameid does not contain the user's email, please specify which attribute in the saml assertion carries the email address so we can configure a custom saml connection if that's the case, there may some additional followup configuration after these initial steps