SAML Single Sign-On
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This feature is only available to organizations that have contracted to use SAML single sign-on.
Shisho Cloud provides a single sign-on feature using SAML.
By registering your identity provider (IdP) in the settings screen, you can use your organization's user accounts to use the service.
This document explains how to use this feature with several external IdP services.
Using Okta (Using the Metadata URL)
Create a SAML 2.0 application from the administration screen.
When creating an application, some items require input. Enter temporary values for these items and change them later.
Check the Metadata URL from the Sign On tab of the created application.
Configure single sign-on settings from the Shisho Cloud settings screen. Enter the confirmed Metadata URL and the email domain used for login.
Click the Add button. Upon successful completion, you will see the created setting in Pending status.
Next, change the settings for the application you created in Okta.
Set the callback URL for the Single sign-on URL. Set the following value for the Audience URI:
https://id.cloud.shisho.dev/realms/cloud
Next, set the Attribute Statements. Refer to the image below.
Configure your settings to ensure appropriate mapping, as Shisho Cloud uses the following values:
- lastName
- firstName
Once this is complete, share the following information with Shisho Cloud:
- Email domain used for login
- Users who use both ID/password and single sign-on to log in
Specify users who can log in with their ID and password even when single sign-on is unavailable, such as during an IdP outage.
ID/password login for other users will be disabled.
Once the single sign-on setting is enabled, the icon in the Status column will change to a green check mark.
Once this is complete, you will be redirected to the IdP authentication screen when you log in with the specified email domain.
Using Google Workspace (Using the Metadata XML File)
From the administration screen, add a custom SAML application and download the metadata XML file.
Configure single sign-on settings from the Shisho Cloud settings screen.
Enter the email domain used for login and select the downloaded metadata XML file. A preview of the selected file will be displayed, so please check the contents.
Click the Add button. Upon successful completion, you will see the created setting in Pending status.
Return to Google Workspace. Set the callback URL for the ACS URL.
Set the following value for the Entity ID:
https://id.cloud.shisho.dev/realms/cloud
Refer to the image to configure attributes, and then click the Complete button.
Configure your settings to ensure appropriate mapping, as Shisho Cloud uses the following values:
- lastName
- firstName
Once this is complete, share the following information with Shisho Cloud:
- Email domain used for login
- Users who can use both ID/password and single sign-on to log in
Specify users who can log in with their ID and password even when single sign-on is unavailable, such as during an IdP outage.
ID and password login for other users will be disabled.
Once the single sign-on setting is enabled, the icon in the Status column will change to a green check mark.
Once this is complete, you will be redirected to the IdP authentication screen when you log in with the specified email domain.
Using Other IdPs
In addition to Okta and Google Workspace, you can also link with the following external IdPs:
- Microsoft Entra ID (formerly Azure Active Directory)
- Auth0
You can generally integrate other IdPs with Shisho Cloud by performing the following steps:
- Register the Metadata URL and callback URL.
- Set the Entity ID.
- Map SAML attributes.
About Single Sign-On Settings
Email Addresses
The email address used for login is used in only one single sign-on configuration, regardless of the status of the configuration. You cannot create configurations with duplicate email addresses for the entire service.
Also, currently, registering multiple email addresses in one configuration is not supported. This is subject to change in the future.
When an Account Does Not Exist in Shisho Cloud
If a user does not exist on Shisho Cloud, a user is automatically created upon the first successful login. Therefore, please restrict users who can log in using single sign-on with each IdP as necessary.
Even for newly registered users via single sign-on, an invitation to each organization is required.
When an Account with the Same Email Address Exists in Shisho Cloud
If an account with the same email address already exists on Shisho Cloud, that account will be linked as a single sign-on user upon the first successful login. After that, the user can log in using single sign-on. However, at this time, Shisho Cloud needs to perform an operation to completely disable login with ID/password. This is subject to change in the future.
Managing Signing Certificates
If single sign-on is configured via the Metadata URL, the signing certificate included in the response will be used to verify logins. The Metadata URL used can be found on the details page of each configuration, and the latest signing certificate is always used. However, currently, changing the Metadata URL and adding a signing certificate after registration is not supported. This is subject to change in the future.
If single sign-on is set up via the Metadata XML file, the signing certificate included in the file is used to verify logins. You can also add and delete signing certificates from the details page of the configuration. However, at least one signing certificate must be registered. Also, adding a Metadata URL is not currently supported. This is subject to change in the future.
If you would like to change the settings or have any questions, please feel free to contact us.
Deleting Settings
Currently, the timing at which single sign-on settings are deleted by the customer is as follows. This is subject to change in the future.
- When a customer directly deletes the settings.
- When a customer deletes an organization that includes single sign-on settings.
Disabling Settings
Currently, we do not support customers disabling settings themselves. You can disable settings by deleting them. This is subject to change in the future.
If you have any further questions, please feel free to contact us.