Skip to main content

SAML 2.0

SEI supports Single Sign-On (SSO) integration using the SAML 2.0 protocol. This enables secure, unified authentication with leading identity providers and allows users to seamlessly access SEI across your enterprise environment.

For details on SAML token claims and advanced configuration, see the official Customize SAML token claims.

Single sign-onDescription
AzureConfigure secure SAML SSO between Azure Active Directory and SEI, enabling users to log in with their Microsoft credentials.
OktaSet up SAML SSO integration with Okta for both SEI and Excel Add-in. Requires creating a separate Okta app for each.
OneLoginImplement SAML SSO using OneLogin for centralized user access to SEI and Excel Add-in. Requires a separate app per component.

Azure single sign-on

Configure the Azure domain

  1. Log in to Microsoft Azure portal.
  2. In Azure services, select Entreprise applications. Click More services if not visible.
  3. Click New application, then Create your own application.
  4. Enter a name for your application and click Create.
  5. Under Getting Started, click Set up single sign on.
  6. Select SAML as the SSO method.
  7. Complete the Basic SAML Configuration and User Attributes & Claims sections.

Basic SAML Configuration

  1. In the Single sign-on tab, click the pen icon next to Basic SAML Configuration.
  2. In the Identifier (Entity ID) field, copy the Entity ID URL value from your SEI web server.
    Example: If your server address is biwebserver.mycompany.com:444, biwebserver is the unique identifier.
    If you haven’t set up HTTPS binding for external access, use the URL from your web server’s certificate as described in Azure SSO documentation.
  3. In the Reply URL (Assertion Consumer Service URL) field, copy the ACS (SAML2) URL value from the SEI Web Server for both the application and Excel Add-in.
  4. In the Sign on URL field, the web application’s direct login URL (e.g., https://yourserver:81).
  5. Click Save to apply changes.
  6. Go to the Users and groups tab.
  7. Click Add user/group to assign users and groups for SSO access.

User Attributes & Claims

  1. In the Single sign-on tab, click the pen icon next to User Attributes & Claims. The Manage Claim page appears.
  2. Click Add new claim.
  3. For Name, enter mailnickname.
  4. In Source, select Attribute.
  5. For Source Attribute, enter user.mailnickname.
  6. Click Save to finish.

Download the certificate

  1. In the Single sign-on tab, scroll to SAML Certificates.
  2. Click Download next to Certificate (Base64).

After downloading the certificate, complete the configuration in SEI by adding the Azure provider and creating users as described in Authentication. Finally, verify your SSO integration by logging in with an assigned Azure AD account.

For a full step-by-step example, see Microsoft Azure Configuration Example

Okta single sign-on

important

If you encounter the error Unable to find the user identifier in the claims error, manually set claims under the Attribute Statements section in Okta. This usually means the required user attribute was not included in the SAML response.
Configure claims to match the user identifier defined on your SEI Authentication screen.

Create SAML applications

You need to create two applications: one for your SEI web application and one for Excel Add-in.

  1. Sign up for a developer account on Okta.
  2. In the Okta dashboard, click Applications in the main menu.
  3. Click Create App Integration.
  4. Choose SAML 2.0 as the sign-on method and click Next.

Configure app details

For the web application and Excel Add-in, repeat the following steps with the appropriate app name:

  1. In the App name field, enter a suitable name, such as SAML 2 Web Server and SAML 2 Excel Add-in for the second app.
  2. Click Next.
  3. In the Single Sign on URL field, copy the ACS (SAML2) URL value from the SEI Web Server.
  4. In the Audience URI (SP Entity ID) field, copy the Entity ID URL value from your SEI web server.
  5. Click Next, then Finish.

Assign users and retrieve identity provider details

  1. Under the Assignments tab, click Assign to add the users who should have SSO access.
  2. Download the Okta Certificate for this application.
  3. Go to the Sign On tab and select View Setup Instructions.
  4. Make a note of the Single Sign-On URL and Identity Provider Issuer (Entity ID)—you’ll need these for the SEI SSO configuration.

For a full step-by-step example, see Okta Configuration Example

OneLogin single sign-on

To integrate SEI with OneLogin using SAML 2.0, create two applications in the OneLogin admin portal: one for the SEI web application and one for the Excel Add-in.

Create SAML applications

Follow these steps for both your web application and the Excel Add-in:

  1. Log in to your OneLogin domain.
  2. Click Applications on the menu, then choose Add App.
  3. Search for and select SAML Custom Connector (Advanced).
  4. Enter an application name:
    • Use SAML 2 Web Server for the SEI web application.
    • Use SAML 2 Excel Add-in for the Excel Add-in.
  5. In the Configuration tab, set each of the following:
    • Audience (Entity ID): Enter the Entity ID from your SEI Web Server.
    • ACS (Consumer) URL Validator: Enter the appropriate validator value (from your system’s ACS/Consumer URL).
    • ACS (Consumer) URL: Enter the ACS (SAML2) URL from the SEI Web Server.
  6. Go to the SSO tab and make sure SML Signature Algorithm is set to SHA-256.
  7. Copy the Issuer URL, SAML 2.0 Endpoint (HTTP), and SLO Endpoint (HTTP) for use in SEI SSO configuration.
  8. Click Save.

For a full step-by-step example, see OneLogin Configuration Example