SAML Single Sign-On
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
Shisho Cloud provides a single sign-on feature using SAML.
You can use your organization's user accounts to use the service by registering your IdP from the settings screen.
Using Okta
Create a SAML 2.0 application from the administration screen.
Some items are required when creating an application. Enter temporary values for these items and change them later.
Check the Metadata URL from the Sign On tab of the created application.
Configure single sign-on settings from the Shisho Cloud settings screen. Enter the confirmed Metadata URL and the email domain used for login.
After clicking the Add button and successfully completing the process, the single sign-on setting in Pending status will be displayed in the list.
Next, change the settings for the application you created in Okta.
Set the callback URL for Single sign-on URL
. Set the following value for Audience URI
:
https://id.cloud.shisho.dev/realms/cloud
Next, set Attribute Statements
. Refer to the image below.
Shisho Cloud uses the following values, so make sure they are mapped appropriately.
- lastName
- firstName
Once this is complete, share the following information with Shisho Cloud:
- Email domain used for login
- Users who use both ID/password and single sign-on to log in
Specify users who can log in with their ID/password even if single sign-on cannot be used, such as when the IdP is unavailable.
ID/password login for other users will be disabled.
Once the setting is enabled, you will be redirected to the IdP authentication screen when you log in with the specified email domain.
Using Google Workspace
Add a custom SAML application from the administration screen.
Download the Idp metadata and host it temporarily in a location accessible from the internet.
Configure single sign-on settings from the Shisho Cloud settings screen. Enter the hosted URL and the email domain used for login.
After clicking the Add button and successfully completing the process, the single sign-on setting in Pending status will be displayed in the list.
Return to Google Workspace again. Set the callback URL for ACS URL
.
Set the following value for Entity ID
:
https://id.cloud.shisho.dev/realms/cloud
Refer to the image to set the attributes, and then click the Complete button.
Shisho Cloud uses the following values, so make sure they are mapped appropriately.
- lastName
- firstName
Once this is complete, share the following information with Shisho Cloud:
- Email domain used for login
- Users who use both ID/password and single sign-on to log in
Specify users who can log in with their ID/password even if single sign-on cannot be used, such as when the IdP is unavailable.
ID/password login for other users will be disabled.
Once the setting is enabled, you will be redirected to the IdP authentication screen when you log in with the specified email domain.
Using other IdPs
You can basically integrate other IdPs with Shisho Cloud by doing the following.
- Registering the Metadata URL and Callback URL
- Setting the Entity ID
- Mapping SAML attributes
We have not officially confirmed integration with other IdPs at this time.