ReturnSafe can be integrated with most cloud authentication providers enabling employees to log in with their company credentials. This article gives an overview of capabilities and describes the general process for SSO setup.
ReturnSafe has authentication connectors for most modern-day cloud identity providers which many of our customers use to facilitate thousands of secure employee check-ins daily.
These services are built on top of protocols like SAML, OIDC, OAuth, etc. which give us the ability to seamlessly connect and authenticate against popular systems like Azure Active Directory, OKTA, Ping Identity, OneLogin, etc.
We recommend using SAML (Security Assertion Markup Language), if available, as the standard of choice to exchange authentication and authorization data between your corporate system (the identity provider) and ReturnSafe (the service provider). We support both SAML 1.1 and SAML 2.0.
Our connectors also offer the ability to retrieve user attributes through claims. These are used for our contact tracing & logbook features and are also displayed on reports in the Command Center.
SSO Setup Process
For customers licensed for integration, our customer onboarding process includes steps for the auth setup. If you would like to integrate with SSO, but do not have a license type that supports it, please contact your ReturnSafe Account Executive or email@example.com.
The ReturnSafe team will review requirements for SSO including optional user attributes and document them.
Steps to getting set up Single Sign-On with ReturnSafe using SAML
- Create a new SAML app on the Identity Provider (IDP).
- Use the following URLs for the Entity ID and Assertion Consumer Service URL (ACS) in the SAML app configuration. Alternatively, your team can use the Metadata XML file. To obtain this contact firstname.lastname@example.org.
- Some attributes are required in the SAML claims. These are also case-sensitive so the names should be exactly as shown in the list below. Other attributes are optional.
- The ReturnSafe SSO connector relies on the Name ID value to create users. To avoid duplicate accounts, we strongly recommend that you set the value of this claim to a unique identifier in the SAML app configuration.
- email (required), firstName (required),lastName (required), department (optional), office (optional), location(optional), phone (optional), managerEmail (optional)
- If phone (optional) is not available coming in from SSO then "SMS" notifications from Case Manager are not possible unless it comes through your People import
- To add more attributes that are not part of the list above, please add them to the SAML claims and share the name with ReturnSafe.
- Once the app is created and attributes are configured please share the metadata URL or file with ReturnSafe along with the names of any additional Claim attributes.
- ReturnSafe will set up the service using the information shared and notify the customer on completion.
- One or more users will be required to test the application. These should be added to the SAML app on the Identity Provider system.
- Please use https://desktop.returnsafe.com/code/ to test the app. Company code is your workspace code which will be defined in your initial onboarding.
- Note: We do not currently support the IDP initiated SAML log-in flow due to security reasons. If this is a requirement, a possible workaround is to create a bookmark application in the IDP (if supported) using the app URL shared above and hiding the SAML app.