SAML

Instruqt SSO Integration with SAML 2.0

Set up Single Sign-On (SSO) for play.instruqt.com using your Security Assertion Markup Language (SAML) 2.0 Identity Provider (IdP). This process uses SAML to securely authenticate users.

Prerequisites

• An active SAML 2.0 Identity Provider (IdP) account with administrative privileges (e.g., Okta, Azure AD, OneLogin, W3ID, etc.).

• An active Instruqt account with access to the SSO configuration page: https://play.instruqt.com/manage/{team-name}/sso

Step-by-Step Configuration

The configuration involves three main phases:

1. Setting up the application in your IdP and retrieving its metadata

2. Configuring Instruqt with this information

3. Potentially updating your IdP with the final Assertion Consumer Service (ACS) URL from Instruqt.

Phase 1: Configure Your SAML Application (In Your IdP)

Follow these steps within your chosen SAML Identity Provider (IdP) to set up the Instruqt application and retrieve the necessary configuration details.

Step 1: Create a New SAML Application

• Log in to your IdP's administrative console.

• Create a new application for Instruqt, and Configure the application to use SAML 2.0. This process varies per IdP.

• When prompted for configuration details, use placeholders if required, as the final details will be completed in Phase 3. Ensure you save the application setup to generate the IdP metadata.

Step 2: Retrieve IdP Metadata

After creating the application, your IdP will provide the essential metadata needed for Instruqt:

• Entity ID (IdP Identifier): The unique ID for your SAML application.

• Signing Endpoint (SSO URL): The URL where Instruqt will send authentication requests.

• Signing Certificate: The X.509 certificate used by your IdP to sign SAML assertions.

Phase 2: Configure Instruqt (In Instruqt)

Use the details retrieved from your IdP to configure the SAML integration in Instruqt.

Step 1: Access Instruqt SSO Settings

• Go to your Instruqt SSO configuration page: https://play.instruqt.com/manage/{team-name}/sso (replace {team-name} with your actual team name).

• Select the SAML 2.0 option.

Step 2: Enter IdP Details

Use the three parameters you retrieved in Step 2 to configure the integration:

• Entity ID: Paste the IdP's Entity ID here.

• Signing Endpoint (SSO URL): Paste the IdP's Signing Endpoint here.

• Signing Certificate (Base64): Paste the Base64 encoded Signing Certificate here.

• Click Save.

• Instruqt will now display the generated Service Provider (SP) metadata, including the required Assertion Consumer Service (ACS) URL and the Email Attribute Mapping.

Essential Instruqt Metadata:

• Assertion Consumer Service URL (ACS URL): This is the URL where your IdP must send the SAML response.

  Example: https://sso.play.instruqt.com/login/callback?connection={team-name}-samlp&organization_id={organization_id} Note: The organization id is only known after saving the details in Step 2

• Email Attribute Mapping (NameID Format): Instruqt requires the user's email address to identify the user.

  Example: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Phase 3: Finalize Configuration (In Your IdP)

Step 1: Update Your SAML Application with ACS URL

• Return to your SAML application settings in your IdP's administrative console.

• Update the Assertion Consumer Service (ACS) URL with the exact value provided by Instruqt in Step 5. This URL tells your IdP where to send the authentication response.

• Ensure the Email Attribute is mapped to the value: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.

Once these steps are complete, users in your organization will be able to sign in to play.instruqt.com using their SAML credentials via https://play.instruqt.com/{team-name}/login

FAQ