Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, named an Identity Provider, and a SAML consumer, named a Service Provider. SAML 2.0 enables web-based, cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user.

To set up SAML, you must be on a Teams subscription, and will need to request that this feature gets enabled for your Workspace. Only Workspace Primary Owners and Owners are able to request and set up SAML, as it falls within the Workspace Settings part of the platform. You must also be an administrator of your IdP service (ex: Okta)

To request SAML for your Workspace, contact Voicea Support Once SAML has been enabled on your Workspace, you will need to ensure that certain data is passed to Voicea from your IdP, and also that you have entered the correct information from Voicea into your IdP.

------------------------------------------------------------------------------------

For Okta specific instructions click here

For Google G-Suite specific instructions click here

For Microsoft Azure specific instructions click here

------------------------------------------------------------------------------------

IdP SAML configuration settings to add to Voicea:

1.) Log in to Voicea and go to your Workspace Settings.
2) Click EDIT SSO 

Fill in the Voicea SAML form with the following information:
Identity Provider Entity ID is the Identity Provider Issuer. For example, using Okta this would look like:

http://www.okta.com/xyz

 Identity Provider SSO Target URL is the Identity Provider Single Sign-On URL. For example, using Okta this would look like:

https://organization.okta.com/app/appname/abc/sso/saml


Identity Provider Cert Fingerprint: 

Generate a formatted fingerprint using a SHA1 hash, and copy the formatted fingerprint into the Voicea platform. You can learn more about how to generate a SHA1 formatted fingerprint at SAMLTool.com. If you have OpenSSL installed, you can create the formatted fingerprint with:

openssl x509 -noout -fingerprint -sha1 -inform pem -in [certificate-file.crt]

The formatted fingerprint will look like this:

C1:9F:07:A4:DB:1B:51:3D:12:9Q:32:3C:21:48:37:A9:22:6F:8B:32

Identity Provider Cert

Please copy and paste your cert into this form. Include the full cert, making sure there are no spaces at the front or end of the cert you copy into the Voicea platform.

-----BEGIN CERTIFICATE-----
cert contents here
-----END CERTIFICATE-----

------------------------------------------------------------------------------------

Voicea SAML configuration settings to add to your IdP:

Single sign on URL: The location where the SAML assertion is sent with a HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your application. Use this for Recipient URL and Destination URL = TRUE.

https://app.voicea.com/users/saml/auth

Audience URI (SP Entity ID): The application-defined unique identifier that is the intended audience of the SAML assertion. This is most often the SP Entity ID of your application.

https://app.voicea.com/users/saml/metadata

Default RelayState: Identifies a specific application resource in an IDP initiated Single Sign-On scenario.

https://app.voicea.com/users/saml/auth


Voicea requires certain information to be provided in order to authenticate a user. 

Please make sure to pass user profile attributes for name (the full name of the user. Usually this is a concatenation of the first and last name fields), first name (the first name of the user's profile), last name (the last name of the users profile) and email address (the users email address). Please map the appropriate attributes from your IDP to the following Voicea attributes:

email
first_name
last_name
name

Other Advanced Options to ensure successful setup in your IDP:

Name ID format: Identifies the SAML processing rules and constraints for the assertion's subject statement. Use the default value of 'Unspecified' unless the application explicitly requires a specific format.

EmailAddress

Application username: Determines the default value for a user's application username. The application username will be used for the assertion's subject statement.

Email

Update application username on:  

Create and Update

Response:  Determines whether the SAML authentication response message is digitally signed by the IDP or not. A digital signature is required to ensure that only your IDP generated the response message.

Signed

Assertion Signature: Determines whether the SAML assertion is digitally signed or not. A digital signature is required to ensure that only your IDP generated the assertion.

Signed

Signature Algorithm: Determines the signing algorithm used to digitally sign the SAML assertion and response.

RSA-SHA256

Digest Algorithm: Determines the digest algorithm used to digitally sign the SAML assertion and response.

SHA256

Assertion Encryption: Determines whether the SAML assertion is encrypted or not. Encryption ensures that nobody but the sender and receiver can understand the assertion.

Unencrypted

Enable Single Logout: Enable SAML Single Logout.

Allow application to initiate Single Logout = FALSE

Authentication context class: Identifies the SAML authentication context class for the assertion's authentication statement.

PasswordProtectedTransport

Honor Force Authentication: Prompt user to re-authenticate if SP asks for it.

Yes

SAML Issuer ID: SAML IdP Issuer ID.

http://www.IDPproviderDomain.com/${org.externalKey}

Notes on SAML

If you have questions about any of these items, please contact your Account Manager or Voicea Support before enabling SAML.

  • Voicea's SAML implementation allows a user to create an account when registering/logging in for the first time using SAML, however Voicea requires that the user verify their email identity before registering their account.
  • Voicea's SAML implementation does not enforce SAML login at this time. If SAML is enabled, that is an option for the user to use, but it is not the only/require option. If the user wishes to continue using an email/password, they will be allowed to do so
  • SAML requires all users within a domain to be part of the same Workspace. Voicea calls this domain enforcement, and when SAML is enabled on a Workspace, anyone within the domain-scope that is covered by SAML will be required to log into the same Voicea Workspace.
  • Auto-provisioning is not supported at this time.

Did this answer your question?