Setting Up Single Sign-On with SAML Authentication

Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication data between different security domains.
With SAML authentication enabled, users can single sign-on (SSO) into cybozu.com by using user accounts registered with your corporate identity provider (IdP).
cybozu.com supports SAML 2.0 and acts as a service provider (SP).

This section describes the flow of SSO with SAML authentication and how to configure cybozu.com.

Flow of SSO with SAML Authentication

With SAML authentication enabled, cybozu.com uses SP-initiated SSO. The following bindings are used for the SAML request and SAML response:

  • SAML request: HTTP Redirect Binding
  • SAML response: HTTP POST Binding

The following illustrates steps for cybozu.com to authenticate a user:

Figure to explain the flow of SSO using SAML authentication
  1. The user accesses cybozu.com.
  2. cybozu.com generates an SAML request.
  3. The user receives the SAML request from the SP.
  4. The IdP authenticates the user.
  5. The IdP generates an SAML response.
  6. The user receives the SAML response from the IdP.
  7. cybozu.com receives and verifies the SAML response.
  8. If the SAML response is OK, the user has completed the login to cybozu.com.

Connecting cybozu.com with the Identity Provider Through SAML Authentication

To connect cybozu.com with the IdP through SAML authentication, you must configure both the IdP and cybozu.com appropriately.

Registering cybozu.com with the IdP

Register the following information with the IdP so that cybozu.com can act as an SP:

  • Endpoint URL of cybozu.com
    https://(subdomain_name).cybozu.com/saml/acs

  • Entity ID
    https://(subdomain_name).cybozu.com
    Do not add a slash mark (/) at the end of the URL.

  • Element to identify a user
    NameID

  • To register cybozu.com as an SP, you can also use a metadata file.
    • How to get a metadata file
      Go to the "Login Security" screen of "Users & System Administration", select the "Enable SAML authentication" check box, and then click "Download Service Provider Metadata".

Configuring SAML authentication in cybozu.com

On cybozu.com, enable SAML authentication and set the information of the IdP.

  1. On the "Users & System Administration" page, click "Login" under "Security".
  2. Select "Enable SAML authentication".
  3. Fill in the fields as needed.
    • SSO endpoint URL of the Identity Provider (HTTP-Redirect)
      Specify the destination of SAML requests.
    • URL redirected to, after logout from cybozu.com
      Specify the URL of a page from the IdP that appears after users log out from cybozu.com.
    • Public key certificate used by the Identity Provider when signing
      Attach a public key certificate generated with either the RSA or DSA algorithm. Only an X.509 certificate is acceptable.
  4. Click "Save".
  5. Confirm the login names of users who will log in through SAML authentication.
    Ensure that the login names of cybozu.com users correspond to values associated with NameID.
  6. Confirm that, as a user, you can single sign-on into cybozu.com through SAML authentication.
    Your configuration is complete if you can perform the following actions successfully:
    • When you access cybozu.com, you are authenticated by the IdP successfully and directed to a page that appears for logged-in users.
    • After you have logged in, you can log out successfully by clicking the user name at the upper right and then "Logout".
      If you are on a kintone page, click Image and then click "Logout".