Attentive SSO Login: SAML Setup Instructions

Attentive supports single sign-on (SSO) functionality with a variety of enterprise identity provider (IdP) platforms using the SAML (Security Assertion Markup Language) protocol. Our SSO functionality lets users log in to the Attentive platform using their company login credentials (e.g., email@brand.com and password). When using Attentive SSO, they must follow any two-factor authentication flows that are enabled through your IdP. At this time, we don’t support IdP-initiated SAML flows. Users must log in on the Attentive login page, which then redirects them to the IdP.

This article explains the steps you need to complete to set up SSO between your company and Attentive.

Step 1. Configure an application for Attentive with your IdP

Configure the values in the following table for your SAML IdP. Ensure that you complete this IdP configuration prior to reaching out to Attentive to configure SSO for your brand.

Note: The CONNECTION_NAME field below can be any unique name. We recommend using the name of your company. The connection name should be all lowercase (e.g., attentive).

Name Value
Entity ID https://ui-api.attentivemobile.com/identity/saml/metadata?connectionName={CONNECTION_NAME}
SAML metadata URL https://ui-api.attentivemobile.com/identity/saml/metadata?connectionName={CONNECTION_NAME}
Assertion Consumer Service URL https://ui-api.attentivemobile.com/identity/login-with-sso/connections/{CONNECTION_NAME}/callback
SAML authentication request signature algorithm RSA-SHA256
SAML authentication request digest algorithm SHA256
SAML protocol binding HTTP-POST

Step 2. Provide your configuration details to Attentive

Once you’ve configured an application for Attentive with your IdP, you’ll need to gather your configuration information (SAML IdP metadata) and provide it to our White Glove team (whiteglove@attentivemobile.com) so we can configure it on our side. Please ensure you provide all of the required fields to expedite the configuration process.

Note: The easiest way to provide us this information is by sending us the IdP configuration XML or metadata URL containing the XML.

Our team will provide you a secure folder using box.com for the X.509 Signing Certificate to allow you to upload the PEM or CER file. If you prefer, you can also add your SAML IdP metadata in a document and upload it to the secure folder rather than sending it via email.

  1. Please provide us the following required fields, which are present in the metadata XML.
Input Description
X.509 Signing Certificate* for public key You’ll need to retrieve an X.509 signing certificate from the SAML IdP (in PEM or CER format). View your IdP’s documentation for the methods for retrieving this certificate. If this is included in your metadata URL, we can convert it for you.

Note: We can extract your connection configuration information from a SAML metadata URL if you prefer to provide that instead of a signing certificate.

Sign in URL SAML single login URL
Entity ID It is common for this to be the same as the sign-in URL. We can extract this from your SAML metadata XML.
SAML claim attribute containing user email address Attentive uses an email address as the unique identifier for a user. By default we check the NameIDFormat. If this is not the user’s email address, you must indicate the name of the SAML claim attribute you are passing the email in with (e.g., emailaddress).
  1. Please also provide us the following values so we can complete your configuration:
Input Description
Email domain The domain used for your company email addresses. Attentive SSO will associate your users with your SAML IdP by their email address. We currently support a single email domain per SSO connection (e.g., brand.com).
CONNECTION_NAME The value of the CONNECTION_NAME you chose in Step 1 when configuring your IdP. These must match exactly.
Authentication request signed True or False

Indicates whether the IdP configuration expects the <samlp:AuthnRequest> messages sent by Attentive to be signed.

Response messages signed True or False

Indicates that the <samlp:Response>, <samlp:LogoutRequest> and <samlp:LogoutResponse> from your IdP to Attentive will be signed. Either response messages or response assertions must be signed.

Response assertions signed True or False

Indicates that the <saml:Assertion> elements from your IdP to Attentive will be signed. Either response assertions or response messages must be signed.

Signature algorithm Algorithm that the IdP will use to sign response data.

Options:

  • None
  • RSA-SHA1
  • RSA-SHA256
  • RSA-SHA384
  • RSA-SHA512
Digest algorithm Algorithm that the IdP will use to hash response data

Options:

  • None
  • SHA1
  • SHA256
  • SHA384
  • SHA512
  1. (Optional) Provide the following additional fields to Attentive:
Input Description Required
Sign out URL SAML single logout URL. Note that this can be a redirect to the sign-in page if you prefer. Optional
Test email address We can test the connection for you if you provide a test email address and password to access Attentive through your IdP. If you can’t add a test user, we’ll let you know when we’ve set up the connection and have you test the login. Optional

Step 3. Attentive establishes connection with your IdP

In this step, the Attentive team will establish connection with your IdP using the information you provided in Step 2.

Step 4. Configure Attentive public certificate with your IdP

If you chose to have “Authentication Requests Signed” from Attentive in Step 2, you’ll need to configure Attentive’s public key certificate with your IdP. (If not, skip to Step 5.)

We’ll provide you with the SAML SP metadata URL containing this certificate.

Step 5. Test the connection

In this step, a member of your team will test the SSO connection between Attentive and your IdP. If you already have users using the Attentive platform, we’ll share a test page URL, domain, and email address for them to use in testing. They should complete the following steps:

  1. Navigate to the test page URL provided by our team.
  2. Sign in to Attentive using the test domain and test email address provided to you by our team (e.g., email@test-domain.com).
    Attentive redirects to your IdP without kicking out your current users.
  3. Confirm that you can sign in to your IdP with your normal domain/credentials.

Step 6. Go live

Once you’ve tested the sign-in process and ensured everything is working correctly, Attentive will make SSO live for users signing in with your real domain.