Summary

Syniti engineers are available to connect your Knowledge Platform products with your organization's SSO Identity Provider for a seamless and secure login experience. Before proceeding to the Setup section, please review the Requirements and send any questions to Syniti Tenant Provisioning.

• Requirements
• Setup Begins
• Testing and Cutover

Requirements

1. Your SSO Identity Provider (IdP) is in our list of certified or supported providers.

2. Your IdP provisions users in predefined groups that can be aligned with the 4 user roles in the Knowledge Platform: Admin, Business Admin, Author, & Viewer.

3. Your IdP specifies a user's email address, full name, group membership, & immutable ID via an identity token or endpoint. In the case of SAML, the identity token is called the assertion.

4. Your IdP uses a 2-hour or longer lifespan for session tokens and identity tokens.

Return to top

Setup Begins

The setup process begins when you submit this type of request, which requires all of the following information.

Send any questions to Syniti Tenant Provisioning.

1. Tenant ID - get your {tenant id} by logging in and clicking your tenant name in the user menu in the top-right
   • 
2. IT and/or Security contact email(s)
   • Syniti engineers may need to request additional technical details from your organization's IT and/or Security team(s). List the email address of each person who should be included in these requests.
3. All possible user email domains
   • List each user email domain that might ever need to access your Knowledge Platform.
4. SSO Identity Provider (IdP)
   • Once again, certified providers are listed here. Any provider using the SAML 2.0, OAuth 2.0, or OpenID Connect protocol is also supported.
5. SSO Protocol - SAML 2.0, OAuth 2.0, or OpenID Connect
   • WARNING: If Okta is your organization's IdP, then we only support OpenID Connect. Okta configurations with SAML 2.0 will often break the 2-hour lifespan requirement listed above.
6. Four group names
   • Group names should be provided exactly as they appear in the Identity Provider's group membership claims.
   • 1 group is needed for each of the 4 user roles: Admin, Business Admin, Author, & Viewer.
7. Required attribute names - email address, full name, group membership, & immutable ID
   • List the names of these required attributes exactly as they appear in the identity token or endpoint. In the case of SAML, the identity token is called the assertion.
8. Four sets of IdP user credentials - send via encrypted email to T1@syniti.com
   • DO NOT provide these in the ticket.
   • Syniti engineers will use these credentials to test your Knowledge Platform SSO configuration.
   • 1 set is required for each of the 4 user roles.

If your SSO Protocol is SAML 2.0, then you'll need to include this in your ticket:

1. SAML metadata link
   • This is your organization's SAML metadata. We strongly recommend providing a URL link to the metadata XML so that we can automatically monitor for updates. This allows you to change certificates or other configurations without the need to contact us. Alternatively, you can attach static metadata in an XML file.
   • You should save Syniti's SAML metadata link to configure your IdP for the Syniti Knowledge Platform (SKP). There are multiple links but you need to use the one that matches your SKP tenant region.
     • Americas: https://api.syniti.com/saml/metadata.xml 
     • EMEA: https://api.syniti.eu/saml/metadata.xml

If your SSO Protocol is OAuth 2.0 or OpenID Connect, then you'll need to include these in your ticket:

1. Authorization endpoint
   • This is a URL that may look like "https://exampledomain.com/login"
2. Token endpoint
   • This is a URL that may look like "https://exampledomain.com/token"
3. (optional) User information endpoint
   • This is only needed when one of the required attributes is not available in the above endpoints. The required attributes are email address, full name, group membership, & immutable ID.
   • It may look like "https://exampledomain.com/userinfo"
4. Client ID and Secret - send via encrypted email to T1@syniti.com
   • DO NOT provide these in the ticket.

Return to top

Testing and Cutover

Once all the necessary information has been provided and clarified in the Support ticket (and sensitive items sent via encrypted email), Syniti engineers will prepare and test the Knowledge Platform SSO configuration.

Before we schedule the cutover date with you in the Support ticket, you'll be asked to provide one last item.

1. User Accounts already in your Knowledge Platform to be migrated over to SSO
   • You can ignore any user Accounts that are not migrating to SSO.
   • The list of user Accounts needs to include their email address and user role from the Knowledge Platform plus their immutable ID from the IdP.

Return to top