Last updated: Aug 13, 2020 15:53
A user accesses the Perfecto cloud, such as .
- Perfecto forwards the request to the IdP, and the user is redirected to the IdP login page.
- The user logs in with the company credentials.
- The IdP validates the user against the user store.
The Idp sends SAML (Security Assertion Markup Language) assertion back to Perfecto. At a minimum, the SAML assertion response from the IdP must contain the desired username for the Perfecto cloud (if it is not the user's email, the cloud should be configured accordingly). The response typically also includes the email address, given name, and last name attributes as parameters, but they are not required to enable SSO.
- The user is authenticated and logged into the Perfecto Lab session.
SSO setup steps
Setting up SSO with Perfecto is a process that involves close cooperation between your company and Perfecto Support. It consists of the following steps:
- Discover: After finalizing IdP selection, Perfecto and the IdP need to replace SAML 2.0 metadata. See What Perfecto needs from your IdP below for instructions on how to obtain your IDP metadata. When you acquire the metadata, make sure it is validated against the SAML 2.0 XSD (for example, you can use this login validation tool: https://www.samltool.com/validate_xml.php).
Initial setup: Open a ticket with Perfecto Support that includes your IDP metadata. A member of the Perfecto Support team then sets up the connection from Perfecto (the SP) to your IdP.
Similarly, on your end, you need to set up the connection from your IdP to Perfecto using the Perfecto metadata file. See What you need from Perfecto to set up your connection below for details.
Test: Verify the SSO connection between the Perfecto cloud and your IdP with one or two users. After accessing the Perfecto URL, these users should be redirected to your IdP login page, where they enter their IdP user credentials. When the IdP provider accepts their credentials, they should be logged in to the Perfecto cloud.
Production setup: During this step, Perfecto enables the IdP configuration and migrates all users. The migration path depends on the type of usernames you use:
- Email usernames: Both your IdP and the Perfecto cloud use email usernames. In this case, Perfecto automatically migrates all cloud users to the new configuration during this session. For automated testing, you can either provide automation users in advance to be skipped or replace their security token after the session.
ID usernames: Your IdP uses ID usernames and your Perfecto cloud uses email usernames. In this case, Perfecto renames the email to an ID. You need to set up a comma-separated mapping file that correlates a user's email address in the Perfecto system with the user ID in the IdP system. For example:
For more details about creating new users, see New users.
When a new user gets added to the IdP system and passes identification, Perfecto automatically adds the user if it doesn't exist. For details, see Just-in-time user provisioning. If you want to control a user's access to the Perfecto cloud, you need to do this through the IdP authorization (by assigning the user to your Perfecto application within your IdP).
By default, all new users get created without assigned roles and device tokens. You can opt to configure roles and tokens globally if required. If you want to change role and token assignments for individual users, your admin can do it manually.
What you need from Perfecto to set up your connection
You need to obtain the Perfecto metadata file for your installation. Contact Perfecto SSO support personnel to supply the file. The file is in XML format and includes your installation license.
What Perfecto needs from your IdP
You need to supply the IDP metadata file to Perfecto. In addition, Perfecto requires that you configure:
NameID Policy Format to
unspecified(optional but recommended)
Audience Restriction/Audience URI to
emptyor to our entity ID, which is
CLOUDNAMEis the name of your cloud
- The following SAML user attributes:
SAML response example:
You also need to assign your IdP users to the Perfecto application within your IdP.
We recommend that you contact your IDP to:
- Extract the SAML 2.0 metadata file
- Assign users (also for the IdP optimal configuration and setup).
Below are high-level instructions on how to do the above for some of the common IdPs. These instructions serve as a reference only. Make sure to verify them with your specific IdP.
- Register a new OKTA app: Click the profile name > your org > Admin > Applications > add application > create new app > SAML 2 > enter a name, and click Next.
- For Single sign-on URL, enter the following: .perfectomobile.com/auth/realms/<CQLab-name>.perfectomobile.com/broker/<CQLab-name>-okta/endpoint
For Audience URI (SP Entity ID), enter the IDP name.
- Click Next. Then select I'm an Okta customer adding an internal app.
- Click the Identity Provider metadata link to download the IDP metadata.
- Save the downloaded metadata file and supply it to Perfecto support personnel.
- To integrate users with Perfecto applications, go to the created application (Admin > Applications > Perfecto application) and click Assign. The user is attached to the Perfecto application.
- Go to Apps > add an app > can't find your app link.
- In the wizard that opens, do the following:
- in the Basic info field, enter a display name, for example Perfecto.
- Click Download IDP metadata. Then click Continue.
- Use the given Perfecto metadata file and upload it to the current wizard step.
- Finish the wizard with defaults.
- in the Basic info field, enter a display name, for example Perfecto.
- To have users integrated with Perfecto applications, CA has to have at least one department. If you don't have a department, create one:
- Click Admin > Organization.
- Select Departments.
- Enter a name and click Add.
- Click Rules.
- Add the department of the user as a rule to assign the application to the user.
- Go to the Azure classic portal, select the Active Directory sub menu, and select the active directory you want to use for SSO.
- In the top navigation bar, go to Applications.
- At the bottom of the screen, click Add.
- Select Add an application from the gallery.
- Select Custom > Add an unlisted application my organization is using and enter Perfecto as the application name. Click the check button when done.
- Select Configure single sign-on > Microsoft Azure AD Single Sign-On.
- Place the identifier and Reply URL information that the Perfecto SSO team provided for you in the corresponding fields, as follows:
<cloud-name>is the name of your Perfecto cloud instance.
- On the Download Metadata (XML) page, select the option to confirm that you have configured SSO and click Next.
- Enter the email address to use for notifications about maintenance issues.
- When you are back on the applications main page, navigate to Attributes.
- Under SAML Token Attributes, hover over the line where TYPE is user attribute (nameid) (usually the first one) and click the pencil icon to edit.
- Change the attribute value to user.mail and click the check button.
- At the bottom of the screen, click Apply Changes.
- Add users to the Perfecto application in Azure.
For other or custom IdPs, contact your IdP directory to assist with obtaining the metadata file.
Also in this section: