MyOrderDesk Single Sign-On Using SAML Follow
Single Sign-On can be accomplished through a SAML Identity Provider
Please view our assertion list to see if the assertions you are sending are available on our server. If any are not, they usually can be added via a support request.
Attribute names need to use one of the oid, oasis, mace or xml soap identity formats.
A MyOrderDesk Email assertion mapping is required for SSO to work.
Example Surname, Given Name, Email IdP attribute statement for assertions:
<saml2:AttributeStatement> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> |
Typically we cannot comment further on the structure of your IdP Software and you should follow the guidelines provided when building your assertations.
Settings
To using SAML for Single Sign-On your MyOrderDesk Site needs to be configured by our developers, please begin by sending an email to support@printreach.com with the following:
- Your EntityID (URI)
- A Public XML metadata URL (recommended), or static metadata XML file if public URL not available
- A signature (.pem) file (optional)
- Assertion attributes your server exposes. Note: An email address attribute is required
Information for the IdP configuration.
- MyOrderDesk Metadata: Downloadable MyOrderDesk Metadata.
- This should contain most if not all needed data to configure your IdP Software.
- EntityID: https://www.myorderdesk.com/shibboleth
- ACS URL: https://www.myorderdesk.com/Shibboleth.sso/SAML2/POST
- Available Assertions: List of all supported Assertions.
- Enable SAML (SSO) Authentication: Enables and disables the SAML sign-in.
- Sign In
- Button Text: Text the SAML sign-in button will display on the sign-in page.
- Priority: Configurable redirect to the SSO page, configured in Seconds.
- Updates: Option for SSO to cause an update to the user’s profile On Sign In
- Sign Up
- Accounts: Auto Create Account for Authenticated Users. If this is not on and there is not an account in MOD the login will fail.
- Group (Affiliation): Allows for group assignment from the assertions eduPersonAffiliation/eduPersonScopedAffiliation.
- Group (Other): This allows the assignment of users to a specific group. Affiliations will be used first.
- Sign Out
- URL: Customizable Sign out URL
Attribute Mapping
Maps SAML Assertion/Attributes to MyOrderDesk Profile Data.
Email address is required.
Group Mapping
Groups Mapping work in pair with the “eduPerson/eduPersonScoped Affiliation”. The value is compared to the mapping and assigns the user to a MyOrderDesk group based on the value of the affiliation.