Hi @Harvey Mercado , The API is not meant to be used for Single Sign-On; rather it's more of a tool for pushing and pulling data to/from Crowdstack programmatically. Crowdstack uses SAML 2.0 for SSO, so in order to hook up your Crowdstack via SSO, you will need to implement a SAML Identity Provider on your registration and login system. In SSO mode, Crowdstack will act as a SAML Service Provider. SAML 2.0 is an open standard with tons of information widely available. You can learn more about...

Hi @Harvey Mercado , You can set up your SSO configuration so that users of your system will be automatically registered in Crowdstack without any further registration steps. To do that, you need to make sure that your SAML Assertion provides all of the profile fields for Crowdstack, which includes, at a minimum, Email Address and Display Name. Once you have everything set up, then anyone who visits Crowdstack will need to sign in or register on your external system in order to get signed in...

Hi @Harvey Mercado , What Destination URL are you referring to? Are you referring to the SAML Assertion? If so, Crowdstack doesn't use Destination URL. Note that the Assertion Consumer Service URL is defined in your Crowdstack SAML metadata, which is found at the /saml/metadata path in Crowdstack. I don't know which Crowdstack you're affiliated with or I would provide the direct URL to you. Crowdstack doesn't put any requirements on the Issuer or Audience. You will need to make sure the...

Thanks Brian. This is the crowdstack account where we would like to setup the SSO: Home | Manchester Unity (crowdstack.io) I was checking it out and wondering where I could get the Crowdstack SAML metadata and find the ACS Url as mentioned in your last reply. Can you please help where I could find this file and url? Also, where can I see the Request ID that is to be returned? Is this the ID in the SAML Response like the one highlighted below? < samlp: Response xmlns: samlp = "...

Hi @Harvey Mercado , You can find the Crowdstack SP SAML metadata here: https://manchesterunity.crowdstack.io/saml/metadata Since Crowdstack will be performing the AuthnRequest s, Crowdstack will define the Request ID. You just have to make sure you match your Assertion response to the Request ID it corresponds to. Hope this helps! Brian

Hi @Harvey Mercado , I'm not familiar with WSO2 or how it might interoperate (or not) with OpenSAML, so I don't think I can advise you on that. The basic flow is that Crowdstack will send an AuthnRequest POST to your IdP, and your IdP will need to handle the user's login (if necessary) and send a SAML Assertion POST back to Crowdstack. In order for this to work, of course, you'll need your SAML IdP to be hosted somewhere on the Internet over HTTPS. localhost won't be a viable option, of...

Hi @Harvey Mercado , You won't be able to do an IdP-initiated login request, which is what you're asking for. I wouldn't worry about this auto-sign in scenario just yet. I'd focus first on the basics of getting the SAML IdP AuthnRequest processing and Assertion response working. Get that set up and working. Then , you can start looking at how to handle automatic logins. When you get there, you'll have a couple of options: Probably the best option is to enable "Auto Sign-In Mode" in...

Hi @Brian Lenz , First of all, I'd like to thank you for all your help. Much appreciated. I uploaded a metadata xml to crowdstack and clicked on Submit to update the settings I have entered. However, I can longer access crowdstack's metadata using the following url: https://manchesterunity.crowdstack.io/saml/metadata Can anybody help me check on this? Thanks and best regards, Harvey

Hi @Harvey Mercado , It looks like your SAML IdP doesn't support signing? You'll need to enable that in order to ensure the integrity and authenticity of requests from your IdP. Once you've enabled signing, your SAML metadata should include the signing certificate. Once you have the new SAML IdP metadata XML with the signing certificate included, then go back into your control panel: https://manchesterunity.crowdstack.io/cp/sso-settings And click the link to Re-import SAML IdP Metadata XML .

Hi @Harvey Mercado , Can you upload the SAML metadata XML here so I can take a look at it? It looks like Crowdstack isn't able to extract the signing certificate for some reason, so if I can take a look, I should be able to assist further. Thanks, Brian

Hi @Brian Lenz , Please see attached xml metadata that was also uploaded in crowdstack for this account. Best Regards, Harvey

Hi @Harvey Mercado , Sorry for the delay in getting back to you. Happy New Year My guess is that the formatting of your X509Certificate elements is the problem. It looks like you have them formatted with spaces between the lines, but those should actually be newlines . Aside from the newlines, there should not be any other whitespace in the elements (no leading whitespace and no trailing whitespace, either). That's my best guess as to what is throwing things off. Try fixing that and see if...

Thanks and Happy New Year @Brian Lenz . I did try and update the metadata according to your instructions, however, the issue still exists. I reset the settings then I realized that the issue only exists if I tick the checkbox for enabling the SSO as shown in the screenshot below: Not sure how to proceed with this. Do you know how do I address this? Please let me know. I also need to upload crowdstack's metadata xml from ( https://manchesterunity.crowdstack.io/saml/metadata ) to ssocircle as...

Hi @Harvey Mercado , OK, I've fully diagnosed what's going on here now. It turns out the spaces / formatting of the certificate is not the issue. Your IDPSSODescriptor has WantAuthnRequestsSigned="false" , which is causing Crowdstack to ignore the signing certificate. Then, there is a bug in Crowdstack that is preventing its SAML SP from working properly due to the signing certificate being unspecified, which is the root cause of the errors you're experiencing. We are working on a fix for...

Hi @Harvey Mercado , The bug fix has been deployed, and the Crowdstack SAML SP metadata XML is now working without issue: https://manchesterunity.crowdstack.io/saml/metadata Regards, Brian

@Brian Lenz Thanks so much for all your help. But what if I want to change the IDP I set up earlier. I can no longer access the Settings page for me to upload another metadata xml. I set up single sign on earlier however, I got an error after logging to the idp, please see screenshot below: So I'm exploring other options and I have another metadata xml that I would like to upload but I couldn't get to the page because of the error above. Appreciate all your patience and help in all these.

Hi @Harvey Mercado , There's a "backdoor" login form that you can use to sign in as an administrator to your Crowdstack: https://manchesterunity.crowds...n?showLoginForm=true You should be able to sign in there with your original Crowdstack email address and password, which should allow you in to the control panel to make further changes to your SSO integration. Hope that helps! Brian

Thanks @Brian Lenz . One more thing, I am trying to upload a new metadata however, I'm getting the error below saying its invalid but cut short of telling me what exactly is invalid with this file and how to address it. I have attached the new metadata file here, in case you have the chance to check it out. Thanks again.

Hi @Harvey Mercado , The issue is that you have duplicate signing keys specified in the XML. You'll need to remove one of them, as it's not valid to have multiple signing keys. Hope this helps! Brian