How SAML WorksThe process involves three parties: the user, the identity provider and the cloud service provider (Caspio-powered apps). The user accesses a Caspio -powered application and attempts to authenticate. If Caspio recognizes the username, it delegates authentication to the IdP. The IdP validates the user against its user database and sends a confirmation to Caspio to give the user access to the application. Note that the SSO only applies to Caspio web applications and does not apply for Caspio Bridge platform admin and users logins.
Benefits of Using Single Sign-OnThe main benefits of using single sign-on are the additional security resulted from not storing user passwords in multiple places, and the convenience of fewer usernames and passwords which lowers the cost of IT help. In addition, your corporate password policies are extended to your cloud apps.
Supported SAML-based Identity ProvidersCaspio SSO is based on SAML 2.0 specifications. SAML 2.0 is supported by several well-known IdPs listed below that can be used to set up SSO with Caspio. Other SAML-based IdPs can also be used but they are not tested and verified by Caspio.
- Active Directory Federation Services (ADFS) 2.0 and 3.0
- Microsoft Azure Active Directory
- PingOne (PingIdentity)
Setting Up Your Single Sign-OnThe majority of the work to set up single sign-on will take place with your identity provider explained in the first step below. Each step is documented in detail in the sections below.
- Configure SAML settings with your identity provider.
- Construct your Caspio users table.
- Configure Caspio authentication to set up single sign-on.
- Test your single sign-on connection.
- Caspio Site URL (also known as SP Entity ID, Issuer URL, Audience and Recipient URL): https://
For example if your account is on site 1, your site URL is https://b1.caspio.com. You can find your Caspio site from the Help menu About Caspio Bridge window.
- SP metadata URL (also known as Federation metadata address in ADFS): https:///saml2/metadata
- Single Sign On URL (also known as Assertion Consumer Service (ACS), Application Callback, Reply, and Destination URL): https:///saml2/sso
- Single Logout URL: https:///saml2/slo
While configuring your IdP settings, you will need to gather the following information that are required to configure your Caspio authentication in the next step.
- SAML Provider ID – The entity ID of the identity provider (also known as issuer).
- Single sign-on URL – The provider’s endpoint that accepts authentication requests. This is also known as the start page where Caspio sends authentication request to the provider to start the login process.
- Single sign-on method – The provider’s supported binding method. Method can be Redirect or Post.
- Single logout URL (optional) – The provider’s logout page when a user clicks logout or the session expires. This is a single logout option which is only supported by some IdPs, therefore it is optional in Caspio.
- Logout Method – If your provider supports single logout, you will also need to find out which logout method they support. Method can be Redirect or Post.
- 509 certificate – The authentication certificate provided by the provider. You can upload it as a file or copy and paste as text.
|Provider||Username format in Caspio|
|ADFS 2/3||User principal name in format SAML:username@domainname|
|Azure AD (login with Microsoft account)||SAML:user_mail.com#EXTemail@example.com (replace ‘@’ symbol with ‘_’ for user email) Example: firstname.lastname@example.org Caspio format: myname_hotmail.com#EXTemail@example.com|
|Azure AD (login with Azure AD account)||SAML:firstname.lastname@example.org|
- Select your authentication data source.
- In Setup Options choose Custom.
- In “Validate with” choose SAML Single Sign-On.
- Fill SAML Authentication settings with values obtained in Configuring SAML Settings step discussed above.
- Configure the advanced options as normal. Note two settings:
Enable cross-app login: This option enables cross-app login when users have an active session with another Caspio-powered app that uses the same SAML provider and users table.
Auto-redirect to SAML login screen: If this option is enabled, unauthenticated users are automatically redirected to the IdP login page when application is accessed. This option works only for Embed and .NET deployments.
- Complete your authentication configuration and click Create.