Skip to main content

SAML Single Sign-On

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

Shisho Cloud provides a single sign-on feature using SAML.

You can use your organization's user accounts to use the service by registering your IdP from the settings screen.

Using Okta

Create a SAML 2.0 application from the administration screen.

note

Some items are required when creating an application. Enter temporary values for these items and change them later.

Check the Metadata URL from the Sign On tab of the created application.

Configure single sign-on settings from the Shisho Cloud settings screen. Enter the confirmed Metadata URL and the email domain used for login.

After clicking the Add button and successfully completing the process, the single sign-on setting in Pending status will be displayed in the list.

Next, change the settings for the application you created in Okta.

Set the callback URL for Single sign-on URL. Set the following value for Audience URI:

https://id.cloud.shisho.dev/realms/cloud

Next, set Attribute Statements. Refer to the image below.

warning

Shisho Cloud uses the following values, so make sure they are mapped appropriately.

  • email
  • lastName
  • firstName

Once this is complete, share the following information with Shisho Cloud:

  • Email domain used for login
  • Users who use both ID/password and single sign-on to log in
warning

Specify users who can log in with their ID/password even if single sign-on cannot be used, such as when the IdP is unavailable.

ID/password login for other users will be disabled.

Once the setting is enabled, you will be redirected to the IdP authentication screen when you log in with the specified email domain.

Using Google Workspace

Add a custom SAML application from the administration screen.

Download the Idp metadata and host it temporarily in a location accessible from the internet.

Configure single sign-on settings from the Shisho Cloud settings screen. Enter the hosted URL and the email domain used for login.

After clicking the Add button and successfully completing the process, the single sign-on setting in Pending status will be displayed in the list.

Return to Google Workspace again. Set the callback URL for ACS URL.

Set the following value for Entity ID:

https://id.cloud.shisho.dev/realms/cloud

Refer to the image to set the attributes, and then click the Complete button.

warning

Shisho Cloud uses the following values, so make sure they are mapped appropriately.

  • email
  • lastName
  • firstName

Once this is complete, share the following information with Shisho Cloud:

  • Email domain used for login
  • Users who use both ID/password and single sign-on to log in
warning

Specify users who can log in with their ID/password even if single sign-on cannot be used, such as when the IdP is unavailable.

ID/password login for other users will be disabled.

Once the setting is enabled, you will be redirected to the IdP authentication screen when you log in with the specified email domain.

Using other IdPs

You can basically integrate other IdPs with Shisho Cloud by doing the following.

  • Registering the Metadata URL and Callback URL
  • Setting the Entity ID
  • Mapping SAML attributes
warning

We have not officially confirmed integration with other IdPs at this time.