Centrify is a supplier of a suite of security solutions. Idaptive is Centrify's Identity-as-a-Service product. Zeplin SAML SSO is confirmed to work with Centrify Idaptive.
Before you begin
Idaptive and Zeplin can be configured by yourself without Zeplin needing to be involved. If you need help, feel free to contact us at firstname.lastname@example.org!
Configure Idaptive from the Idaptive Admin Console (https://<yourorg>.my.centrify.com/admin)
Log in to Zeplin (https://app.zeplin.io) as an Owner or Admin for your Zeplin Organization
Select Web Apps from the main menu
Click the “Add Web Apps”, choose the Custom tab, and click the “Add” next to the SAML option. Confirm your selection, then click the “Close” button
Find and select the newly-created SAML application in your list of Web Apps
Give this Application a name, then select Trust from the submenu
Under Identity Provider Configuration, the values you need for Zeplin are displayed under the Manual Configuration option. Don't click Save just yet.
From the Organization Dashboard, click the settings button on the top right to access Settings, and select the AUTHENTICATION tab
In the SAML 2.0 section, click on the “Enable” button
In the Zeplin popup:
- Copy the string from the Idaptive field IdP Entity ID / Issuer into the Zeplin field IDP Issuer
- Copy the string from the Idaptive field Single Sign-On URL into the Zeplin field IdP SAML 2.0 Endpoint
- Copy the contents of the file in the Idaptive field Signing Certificate into the Zeplin field IdP Public Certificate
Click on the “ENABLE” button
Click Download SAML 2.0 metadata
Back in Idaptive:
Under Service Provider Configuration, upload the metadata file just downloaded from Zeplin into the Metadata > File field
Select SAML Response from the submenu, and under Attributes, add a new Attribute:
- Attribute Name: email
- Attribute Value: LoginUser.Email
Click the “Save” button
Confirm everything works!
Go to the Zeplin login page, and click the link that says Login with SSO (or go directly to https://app.zeplin.io/login/sso). Enter the email address of an existing Zeplin user. You should redirect to your Idaptive IdP to authenticate, then back to that user's Project page.
Your company's identity management policies may require you to first assign this application to your users. Usually, this is via an existing Idaptive user group that will need to be assigned to the Application. Select Core Services > Roles, and view a group's Assigned Applications. Select the appropriate group, and assign the Zeplin application and specific users if required.
Extra information for Idaptive users
When it is confirmed users can log in with SAML, you can restrict login to be via via SAML only for all users by selecting this option from the AUTHENTICATION tab in Zeplin. For safety, the Owner will still be able to log in using their username/password after this option is set.
Idaptive does not send the session duration value in its SAML assertion. Zeplin will expire and attempt session re-authentication at the duration chosen in the Zeplin setting Session Timeout, on the AUTHENTICATION tab in Zeplin’s Organization settings. The default value is to never log out the user.
Idaptive can sign either the Assertion or Response. Zeplin will enforce a valid signature against the Idaptive-generated IdP Public Certificate.
By default, Idaptive does not encrypt the Assertion. Zeplin will accept unencrypted assertions, and also assertions encrypted with the Zeplin-generated x.509 certificate (uploaded as part of the Zeplin SP metadata). Zeplin can decrypt all of the ciphers that Idaptive supports.