Single Sign-on (SSO) via SAML 2.0

Introduction

You can use Single Sign-on (SSO) to restrict access to your feedback board so that only authenticated members of your organisation can view and add suggestions.

Feature Upvote uses the widely-supported SAML 2.0 standard for SSO.

SAML 2.0 is supported by many services, including Microsoft’s Entra ID (previously known as Azure Active Directory) and Google’s Google Workspace (previously known as G Suite). You should be able to use any SAML 2.0 service. The main challenge is that each SAML 2.0 service uses different terminology for the same concepts.

Configuring SAML 2.0 for Feature Upvote requires technical knowledge. It should be performed by someone with experience in SAML 2.0 configuration or administration.

Configuring Single sign-on (SAML 2.0 SSO) Integration

You’ll need to switch backwards and forwards between configuring Feature Upvote and configuring your SAML 2.0 service. Start by configuring Feature Upvote.

The process is as follows:

From your Feature Upvote dashboard, go to Feedback Boards > Settings > Access, select Single sign-on (SAML 2.0 SSO) and click Save changes
Start to enable the SAML 2.0 SSO integration on Feature Upvote. You won’t yet be able to save the configuration form that you see, but you’ll be able to see the info needed by your SAML 2.0 service.
Take note of the Reply URL and Entity ID supplied by Feature Upvote
In your SAML 2.0 service create an app using the Reply URL and Entity ID supplied by Feature Upvote. Note that Reply URL might be called “ACS URL” or “Assertion Consumer URL”. Entity ID might be called “Relying Party Identifier”.
Take note of the Identity Provider URL and X509 Certificate supplied by your SAML 2.0 service for the Feature Upvote app. Identity Provider URL might be called “SSO URL”.
Return to Feature Upvote’s SAML 2.0 SSO integration configuration screen and add the Identity Provider URL and X509 Certificate info, then click the Save button. If your certificate begins with ----------BEGIN CERTIFICATE---------- and ends with ----------END CERTIFICATE---------- it is okay to include these text fragments.
Important: Return to your SAML 2.0 service and grant access to users, roles, or groups from your organisation to the app you created in your SAML 2.0 service. This is an easily overlooked step but is essential. If you don’t do this, your users will most likely be presented with an error message from your SAML 2.0 service after they’ve been authenticated.

Once you save Feature Upvote’s SAML 2.0 integration, you’ll now see a link to test your SSO configuration. The link is shown immediately after successfully saving your SAML 2.0 settings, and can be found at any time by going to Feedback Boards > Settings > Access.

The test link is in the format of https://yourfeedbackboard.featureupvote.com/saml/test . This test page is invaluable for checking your SAML 2.0 SSO configuration.

Optional configuration of display name and email attributes

Your SAML 2.0 service optionally sends user attributes to Feature Upvote on successful sign-in. You should be able to configure the names and values of these attributes using your SAML 2.0 service.

If these attributes include the user’s email address and/or display name, you can configure Feature Upvote to use these to auto-fill forms where appropriate.

Each text field can accept two attributes, separated by a space. So, for example, display name might be:

firstNameAttribute lastNameAttribute

In Feature Upvote, go to Feedback Boards > Settings > Integrations > Single sign-on (SAML 2.0 SSO) > Configure
Add the attribute names to the Display Name attribute and Email attribute fields
Click the Save button

Determining the correct values to use for the Display Name attribute and Email attribute fields can be tricky. The correct values are determined by the configuration of your SAML 2.0 SSO service provider and can’t be automatically determined by Feature Upvote.

Typical values for Microsoft Entra ID are:

Display Name attribute: http://schemas.microsoft.com/identity/claims/displayname
Email attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

For Google Workspace, follow the instructions here.

Helpful terminology

In SAML 2.0 terminology:

Feature Upvote is the service provider or sp
Your SAML 2.0 SSO service is the Identity provider or IdP
Your Feature Upvote feedback board has a unique SAML identifier known as entity ID, relying party identifier, or application id
Your identity provider has an “entity ID”, which is not used by Feature Upvote. Be careful not to confuse this with your Feature Upvote feedback board’s entity id.
Your identity provider has an identity provider URL, also known as the SSO URL. This is where Feature Upvote redirects unauthenticated users to that they can sign in.
Your Feature Upvote feedback board has a Reply URL, which is where your identity provider redirects users upon successful authentication. This is also known as Assertion Consumer Service URL or ACS URL.
Your identity provider has a public credential, usually in the form of an X509 certificate, sometimes known simply as a certificate. This is a long amount of text which, when correctly processed, is used to check the validity of user authentication responses sent by your identity provider.

Troubleshooting tips

Signature Algorithm

If your identity provider (IdP) allows you to set a Signature Algorithm, please select RSA-SHA256

‘Invalid status code’ error message

Are you seeing this cryptic message? Error handling SAML response: com.coveo.saml.SamlException: Invalid status code: urn:oasis:names:tc:SAML:2.0:status:Requester

This is how an SAML identity provider (IdP) informs you that your settings in Feature Upvote don’t match your settings in the IdP. Please carefully double-check all settings in your IdP, especially the Reply URL.

Microsoft Entra ID tips

The Microsoft Entra ID admin console has many options and is somewhat confusing.

Follow these steps to configure Microsoft Entra ID to integrate with Feature Upvote.

Entra ID changes their UI from time to time. If these instructions don't make sense, please let us know at support@featureupvote.com so we can improve them.

Step 1: Start from Entra's home: https://entra.microsoft.com/#home

Step 2: Select: Identity > Applications > Enterprise applications > All applications.

Step 3: Select "New Application"

Step 4: Select "Create your own application"

Step 5: Name the app "Feature Upvote" or whatever works best for you, and ensure "Integrate any other application you don't find in the gallery" is selected. Then click "Create"

In our experience, Microsoft Entra ID takes a while to do some work after clicking "Create". Eventually, it should show you the new "Enterprise Application" called "Feature Upvote" (or whatever name you use).

Step 6: Select "Single sign-on" and then "SAML"

You should now be on a "Set up Single Sign-On with SAML" page.

Step 7: Edit Entra's "Basic SAML Configuration".

You can now go to your Feature Upvote dashboard, go settings -> access, and find the settings needed for Entra's "Basic SAML Configuration".

Put Feature Upvote's "Reply URL" value into Entra's "Reply URL" field.
Put Feature Upvote's "Entity ID" value into Entra's "Identifier" field.

Step 8: Copy Entra's "SAML Certificate" into Feature Upvote

After you've entered and saved the values in step 7, you can now download a certificate from Entra ID. You'll find it in "3. SAML Certificates", where you should choose "Certificate (Base64)".

The downloaded file has the ending ".cer". You should open this file in a text editor. You might find it easier if you rename the file to end in ".txt".

Copy the entire contents of this file, including the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" text, and paste it into Feature Upvote, in the "X509 Certificate" field.

Step 9: Copy Microsoft Entra UD's "Login URL" into Feature Upvote.

You should still be on Entra ID's "Set up Single Sign-On with SAML" page.

Find section 4, "Login URL", and copy and paste the value into Feature Upvote's "Identity Provider URL" field.

Step 10: Test

This should be the bare minimum you need to do to use Microsoft Entra ID as your SAML identify provider with Feature Upvote.

Use these settings with Microsoft Entra ID for display name and email:

Display Name: http://schemas.microsoft.com/identity/claims/displayname
Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Google Workspace (aka G Suite) tips

How to get Display Name and Email address working

There are two steps to get this working.

Step 1: First you have to add some attributes in your Google Workspace admin

Step 2: You then need to add the same attributes to Feature Upvote's SSO settings.

Here's a screenshot of the attributes you should add to your own Google Workspace admin site. I've added a red box showing the three attributes you need to add: email, firstName, and lastName.

After having done this, you'll need to add these same attributes to Feature Upvote's SSO settings. Note that there is a space between firstName and lastName.

Once you've made these changes, I recommend clicking on the "Test SAML 2.0 SSO integration" button to check the settings worked. You might need to use the "Sign out" button on the SAML test page, and then sign in again, for the changes to take effect.

Need help with your SAML 2.0 SSO integration?

Let us know at support@featureupvote.com. We’ve been through this process with several SAML 2.0 SSO services and can help.