Skip to content

SAML

Configure

  1. Identity Provider: A platform that provides identity management services, used to manage user identities and authentication information. Define the name here.
  2. Metadata Document: An XML document provided by the IdP.
  3. Remarks: Custom-added description information used to record relevant notes about the identity provider.
  4. Access Restrictions: Verify whether the login email domain suffix matches the configured domain. Only matching emails have permission to access the SSO login link. Users can dynamically create a Guance member account upon first login without needing to be pre-created in the workspace.

  5. Role Authorization: Assign roles to SSO accounts upon their first login; accounts that are not logging in for the first time are not affected.

    • If SAML mapping is enabled in the workspace, role assignment will prioritize following the mapping rules.

  6. Session Persistence: Set the inactivity persistence time and maximum persistence time for the SSO login session.

For information on role permissions, refer to Role Management.

Obtain Entity ID and Assertion URL

After the identity provider is successfully added, click the Update button on the right to obtain the Entity ID and Assertion URL. Complete the corresponding SAML configuration according to the identity provider's requirements.

Field Description
Login URL The Guance SSO login URL generated based on the metadata document. Each login URL is limited to accessing one workspace.
Metadata The Guance SSO metadata file generated based on the metadata document.
Entity ID The entity ID for Guance SSO login, generated based on the metadata document. Used to identify the service provider (SP), such as << custom_key.brand_name >>>, in the identity provider (IdP).
Assertion URL The assertion target URL for Guance SSO login, generated based on the metadata document. Used by the identity provider (IdP) to call and complete single sign-on.

Session Persistence

When configuring SSO single sign-on, you can set a unified login persistence time for enterprise members logging in via SSO, including the "Inactivity Login Session Persistence Time" and the "Maximum Login Session Persistence Time".

  • Inactivity Login Session Persistence Time: Supports a configurable range of 180 to 1440 minutes. The default value is 180 minutes.
  • Maximum Login Session Persistence Time: Supports a configurable range of 0 to 7 days, where 0 means never timeout. The default value is 7 days.
Example

After updating the SSO login persistence time:

  • For already logged-in members: Their login session expiration time remains unchanged.
  • For newly logged-in members: The latest login persistence time settings take effect.

For example:

  • When initially configuring SSO, the inactivity session expiration time was set to 30 minutes. Member A logged in at this time, so their inactivity session expiration time is 30 minutes.
  • The administrator subsequently updates the inactivity session expiration time to 60 minutes. Member A's inactivity session expiration time remains 30 minutes, while Member B, who logs in after this change, will have an inactivity session expiration time of 60 minutes, and so on.

Feedback

Is this page helpful? ×