Setting Up a Partner SAML Provider
Setting up a new SAML provider for the Crunch app requires work by both Crunch and its partner. Crunch only supports Service Provider Initiated Login.
The following describes the three-part process:
- Step one (partner): Register Crunch's login URL with your SAML provider and generate x509cert, Identifier url, and login url.
- Step two (Crunch): Add tokens and configuration to Crunch's application configuration.
- Step three (partner + Crunch): Test the integration together.
Step one: Registering Crunch SAML URLs (partner)
- Register Crunch's SAML domains and redirect URLs with your SAMLprovider. Crunch's SAML URIs are:
The following example uses [workspace] in the URL. Please replace [workspace] with your organization's workspace name.
- Domain (Entity ID): https://[workspace].crunch.io
- Assertion Consumer Service:
https://[workspace].crunch.io/api/public/saml2/assertion_consumer_service/?name=[your-crunch-provided-name]
- Provide the following details to Crunch:
- Identifier URL (Entity ID): a string, sometimes human-readable, sometimes a hash value/random string, or sometimes a mixture of both.
- X509cert.pem: Public cert.
- The scope that Crunch should request access to: Crunch needs to be able to verify the user's email address vs. the login email address, from which Crunch pulls the full name of the user's profile. Crunch uses the attribute name 'email' for user email addresses.
- Signon URL: The identity provider’s login url a crunch user is directed to.
- If you wish to enable Just-in-time provisioning, then provide the email domains that should be included.
Step two: Configuring the partner's SAML provider (Crunch)
Once Crunch has received the above information from you, Crunch configures the new partner SAML provider in its platform.
Step three: Testing the integration (Crunch + partner)
Navigate a web browser to Crunch and sign in.