Single Sign-On (SSO) Frequently Asked Questions

General FAQs

Q: What value should I use for the nameID field?

A: The user's primary email address must be the same as the user's account within Resolver, used during the user creation process.

Q: Is it possible to bypass SSO?

A: Yes, you can apply a flag to a user that allows that user to bypass the SSO authentication process. Users that bypass the SSO Authentication process must log into Resolver using their login credentials (username and password).

Q: Can you configure multiple-domain support for SSO?

A: Yes, you can configure multiple domains through your IdP provider for SSO. Please refer to the documentation for your IdP for further information. (e.g., somedomain.com,somedomain.sub.com).

Q: Are there other data items we can send in the Security Assertion Markup Language (SAML) token, such as name, phone, country, location, etc.?

A: No, only the name, phone number, country, and location can be sent with an SAML token.

Q: Does Resolver support real-time new user provisioning based on SAML requests?

A: No.

Q: Does Resolver support logout redirect URLs?

A: Resolver does not support SSO redirect/logout URLs in the Metadata file.

Active Directory Federation Services (ADFS) FAQs

Q: We’re using ADFS as the Identity Provider (IdP). What claim should be configured?

A: The following claims should be configured when using ADFS as your IdP

  • Claim Rule: 
    • Template: Send LDAP Attributes as Claims
    • Attribute Store: Active Directory
    • LDAP Attribute: The Attribute that contains the User email addresses set up in Resolver (typically the User Principal Name, but not always)
    • Outgoing Claim Type: Name ID

okta ® FAQs

Q: Where can I find the SSO URL (Assertion Consumer Service)?

A: The SSO URL can be found in the Service Provider (SP) metadata provided by Resolver for the specified environment.

Q: Where can I find the Recipient URL and Destination URL?

A: The Recipient and Destination URL is the same as the SSO URL, which can be found in the Service Provider (SP) metadata.

Q: Where can I find the Audience URI?

A: The Audience URI or EntityID can be found in the Service Provider (SP) metadata provided by Resolver for the specified environment.

onelogin® FAQs

Q: What value should the Audience be?

A: The Audience value should be the EntityID provided in the metadata (see <md:EntityDescriptor entityId=.....>). 

Q: What Value should the Recipient be?

A: The Recipient value should be provided in the Service Provider (SP) metadata file (see <md:AssertionConsumerService Location=....>).

Q: What value should the ACS be?

A: The ACS value should also be provided in the Service Provider (SP) metadata file (see <md:AssertionConsumerService Location=....>). 

Q: What value should the Certificate be?

A: The Certificate is provided in the SP metadata file (see <ds:X509Certificate>.....</ds:X509Certificate>).

Note:
Resolver does not support SSO redirect/logout URLs in the Metadata file.