Skip to main content

SAML 2.0

SEI supports Single sign-on (SSO) integration using the SAML 2.0 protocol. This enables secure, unified authentication with enterprise identity providers and allows users to seamlessly access SEI across your organization.

For details on SAML token claims and advanced configuration, see Customize SAML token claims.

important

For security and compliance reasons:

  • Avoid multitenant configurations – use single‑tenant to reduce cross‑tenant access risks.
  • Avoid using email as the user identifier – emails can change and may not be unique. Prefer claims such as oid or sub.
SSO methodDescription
AzureConfigure secure SAML SSO between Azure Active Directory and SEI, enabling users to log in with their Microsoft credentials.
OktaSet up SAML SSO integration with Okta for both SEI and the Excel Add-in. Create a separate Okta application for each.
OneLoginImplement SAML SSO using OneLogin for centralized user access to SEI and the Excel Add-in. Create a separate application for each component.

Azure single sign-on

Configure the Azure domain

  1. Log in to Microsoft Azure portal.
  2. In Azure services, select Enterprise applications. Click More services if you don't see it.
  3. Click New application, then Create your own application.
  4. Enter a name for your application and click Create.
  5. Under Getting Started, click Set up single sign on.
  6. Select SAML as the SSO method.
  7. Complete the Basic SAML Configuration and User Attributes & Claims sections.

Basic SAML Configuration

  1. In the Single sign-on tab, click the pencil icon next to Basic SAML Configuration.
  2. In the Identifier (Entity ID) field, copy the Entity ID URL value from SEI.
    Example: For server address biwebserver.mycompany.com:444, use the unique identifier from your server or certificate.
  3. In Reply URL (Assertion Consumer Service URL), copy the ACS (SAML2) URL from SEI for both the application and the Excel Add-in.
  4. In Sign on URL, enter the direct login URL for your web application (for example, https://yourserver:81).
  5. Click Save to apply changes.
  6. Go to the Users and groups tab.
  7. Click Add user/group to assign users and groups for SSO access.

User attributes & claims

  1. In the Single sign-on tab, click the pencil icon next to User Attributes & Claims. The Manage Claim page appears.
  2. Click Add new claim.
  3. For Name, enter mailnickname.
  4. In Source, select Attribute.
  5. For Source Attribute, enter user.mailnickname.
  6. Click Save to finish.

Download the certificate

  1. In the Single sign-on tab, scroll to SAML Certificates.
  2. Click Download next to Certificate (Base64).
  3. Log in to SEI and complete the configuration by adding Azure as a provider in Authentication.
tip

For a full configuration example, see Microsoft Azure Configuration Example.

Okta single sign-on

important

If you see Unable to find the user identifier in the claims error, manually set claims under the Attribute Statements section in Okta. This usually means the required user attribute was not included in the SAML response.
Configure claims to match the user identifier defined on the Authentication page.

Create SAML applications

Create two applications—one for SEI and one for the Excel Add-in.

  1. Sign up for a developer account on Okta.
  2. In the Okta dashboard, click Applications in the main menu.
  3. Click Create App Integration.
  4. Choose SAML 2.0 as the sign-on method and click Next.

Configure app details

Repeat the following for each app:

  1. In App name, enter a name, such as SAML 2 Web Server and SAML 2 Excel Add-in.
  2. Click Next.
  3. In Single Sign on URL, copy the ACS (SAML2) URL from SEI.
  4. In Audience URI (SP Entity ID), copy the Entity ID URL from SEI.
  5. Click Next, then Finish.

Assign users and retrieve identity provider details

  1. Under the Assignments tab, click Assign to add users who should have SSO access.
  2. Download the Okta certificate for this application.
  3. Go to the Sign On tab and select View Setup Instructions.
  4. Note the Single Sign-On URL and Identity Provider Issuer (Entity ID)—you’ll need these for the SEI SSO configuration.
  5. Log in to SEI and complete the configuration by adding Okta as a provider in Authentication.
tip

For a full configuration example, see Okta Configuration Example.

OneLogin single sign-on

To integrate SEI with OneLogin using SAML 2.0, create two applications—one for SEI and one for the Excel Add-in.

Create SAML applications

Repeat these steps for each application:

  1. Log in to your OneLogin domain.
  2. Click Applications on the menu, then choose Add App.
  3. Search for and select SAML Custom Connector (Advanced).
  4. Enter an application name:
    • Use SAML 2 Web Server for SEI.
    • Use SAML 2 Excel Add-in for the Excel Add-in.
  5. In the Configuration tab, set the following:
    • Audience (Entity ID): Enter the Entity ID from SEI.
    • ACS (Consumer) URL Validator: Enter the validator value for your ACS/Consumer URL.
    • ACS (Consumer) URL: Enter the ACS (SAML2) URL from SEI.
  6. Go to the SSO tab and make sure SML Signature Algorithm is set to SHA-256.
  7. Copy the Issuer URL, SAML 2.0 Endpoint (HTTP), and SLO Endpoint (HTTP) for use in SEI SSO configuration.
  8. Click Save.
  9. Log in to SEI and complete the configuration by adding OneLogin as a provider in Authentication.
tip

For a full configuration example, see OneLogin Configuration Example.