ShipHero offers Security Assertion Markup Language (SAML) 2.0 integration, allowing a single Identity Provider (IdP) to use those credentials across connected networks. The SAML protocol makes secure Single Sign-On (SSO) possible when working across different ShipHero programs.
The steps below will help you get SAML up and running with ShipHero.
IMPORTANT: We do not support an IDP-initiated flow. An IDP-initiated flow could compromise our security because it is highly susceptible to a "Man-in-the-Middle attack" and the interception of the SAML assertion.
Step 1: Provide IdP Information
To begin configuring your SAML integration, ShipHero needs specific information about your IdP.
We require the following information for all SAML configurations. The majority of our customers only need to provide these three items.
- Sign in URL: This is the URL displayed upon first logging in to the ShipHero system through your IdP. The following images show one example of the steps leading up to the sign in URL page, but this may be different depending upon your specific identity provider:
- X.509 certificate file: This is a cryptographic public key certificate provided by your IdP. Contact your IdP if you cannot find an X.509 certificate file in your account security settings.
- User ID attribute: This is how you will send us the user email address in the SAML response. In the example below, the user ID attribute is
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6" Version="2.0" IssueInstant="2014-07-17T01:01:48Z" Destination="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"> ... <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_d71a3a8e9fcc45c9e9d248ef7049393fc8f04e5f75" Version="2.0" IssueInstant="2014-07-17T01:01:48Z"> <saml:AttributeStatement> <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">firstname.lastname@example.org</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
Required only if signing out is enabled
Some of our customers need the ability to sign out of a connected account. If you intend to enable signing out, you must also provide the following information:
- Sign out URL: This is the URL displayed immediately upon logging out of your IdP account. Similar to the sign in URL, this will depend upon your specific identity provider.
Required only if sign requests are enabled
While unnecessary for the majority of our customers, we can enable sign requests for the purpose of enhanced security. If you intend to implement sign requests, you must also specify the following:
- Sign request algorithm: RSA-SHA256 or RSA-SHA1
- Sign request algorithm digest: SHA256 or SHA1
- Protocol binding: HTTP-Redirect or HTTP-POST
Step 2: Add the ShipHero SP to IdP Allow List
Once you have provided us with the necessary IdP information, we will send you Service Provider (SP) information so that you may add the ShipHero SP to your IdP allow list.
You will receive an Assertion Consumer Service (ACS) URL, which will resemble the following:
We will also send you an Entity ID, which will look like this:
Your IdP will require the ACS and the Entity ID to verify the ShipHero SP's connection to your account. Contact your IdP for information if you do not know how to add a new SP to your allow list.
Step 3: Provide Test Account
To verify your SAML integration and ensure its proper configuration, we ask that you provide us with login credentials for a test user account. This should be an account created specifically for testing purposes, not an active account for a working user.
Once we have verified the configuration, your ShipHero account will have working SAML 2.0 integration, providing you with the convenience of secure SSO!
Important: We recommend using a secure method to share the credentials. example: Sending a encypted and signed email or using a password manager application. Incase of doubts please consult your Information Security deparment.