Single Sign-On (SSO) Frequently Asked Questions

General FAQs

Q: What value should I use for the nameID field?

A: The user's primary email address must be the same as the user's account within Resolver, used during the user creation process.

Q: Is it possible to bypass SSO?

A: Yes, you can apply a flag to a user that allows that user to bypass the SSO authentication process. Users that bypass the SSO Authentication process must log into Resolver using their login credentials (username and password).

Q: Can you configure multiple-domain support for SSO?

A: Yes, you can configure multiple domains through your IdP provider for SSO. Please refer to the documentation for your IdP for further information. (e.g., somedomain.com,somedomain.sub.com).

Q: Are there other data items we can send in the Security Assertion Markup Language (SAML) token, such as name, phone, country, location, etc.?

A: No, only the name, phone number, country, and location can be sent with an SAML token.

Q: Does Resolver support real-time new user provisioning based on SAML requests?

A: No.

Q: Does Resolver support logout redirect URLs?

A: Resolver does not support SSO redirect/logout URLs in the Metadata file.

Active Directory Federation Services (ADFS) FAQs

Q: We’re using ADFS as the Identity Provider (IdP). What claim should be configured?

A: The following claims should be configured when using ADFS as your IdP

  • Claim Rule: 
    • Template: Send LDAP Attributes as Claims
    • Attribute Store: Active Directory
    • LDAP Attribute: The Attribute that contains the User email addresses set up in Resolver (typically the User Principal Name, but not always)
    • Outgoing Claim Type: Name ID

okta ® FAQs

Q: Where can I find the SSO URL (Assertion Consumer Service)?

A: The SSO URL can be found in the Service Provider (SP) metadata provided by Resolver for the specified environment.

Q: Where can I find the Recipient URL and Destination URL?

A: The Recipient and Destination URL is the same as the SSO URL, which can be found in the Service Provider (SP) metadata.

Q: Where can I find the Audience URI?

A: The Audience URI or EntityID can be found in the Service Provider (SP) metadata provided by Resolver for the specified environment.

onelogin® FAQs

Q: What value should the Audience be?

A: The Audience value should be the EntityID provided in the metadata (see <md:EntityDescriptor entityId=.....>). 

Q: What Value should the Recipient be?

A: The Recipient value should be provided in the Service Provider (SP) metadata file (see <md:AssertionConsumerService Location=....>).

Q: What value should the ACS be?

A: The ACS value should also be provided in the Service Provider (SP) metadata file (see <md:AssertionConsumerService Location=....>). 

Q: What value should the Certificate be?

A: The Certificate is provided in the SP metadata file (see <ds:X509Certificate>.....</ds:X509Certificate>).

Note:
Resolver does not support SSO redirect/logout URLs in the Metadata file.

Azure FAQs

Q: What value should the Identifier be?

A: The Identifier (Entity ID) value should be the EntityID provided in the metadata (see <md:EntityDescriptor entityId=.....>).

Q: What Value should the Reply URL be?

A: The Reply URL value should be provided in the Service Provider (SP) metadata file (see <md:AssertionConsumerService Location=....>).

Q: What value should the Sign on URL be?

A: The Sign on URL value should also be provided in the Service Provider (SP) metadata file (see  <md:SingleLogoutService Location=....>). 

One-click SSO Log In

Q: What are different syntax examples for using the one-click SSO log in feature? 

A: Some syntax examples for the one-click SSO log in feature are as follows:

  • Login page:https://core.resolver.com/#/session?domain=kroll.com
  • Bookmarked URLs:
    • Forms: https://sandbox.resolver.com/#/applications/▊▊-▊▊-▊▊-▊▊-▊▊/activities/▊▊-▊▊-▊▊-▊▊-▊▊/form/default/object/27727/edit?domain=kroll.com
    • Reports: https://sandbox.resolver.com/#/applications/▊▊-▊▊-▊▊-▊▊-▊▊/activities/▊▊-▊▊-▊▊-▊▊-▊▊/report/▊▊-▊▊-▊▊-▊▊/object/1?domain=kroll.com
    • Activities: https://sandbox.resolver.com/#/applications/▊▊-▊▊-▊▊-▊▊-▊▊/activities/▊▊-▊▊-▊▊-▊▊-▊▊?domain=kroll.com
  • Favorited search results: since searches contain query values in the URL, these will need to be appended with an & instead of a ? on the URL
    • Search: https://core.resolver.com/#/search?searchText%3Dtest&domain=kroll.com

Q: What happens when a user logs out of a session?

A: Users will be redirected to a URL without any specified domain.

Q: What happens when an inactive session expires?

A: If an inactive session expires, since the user details are currently stored in the cache, users will be directed back to the one-click login screen.