How to Configure SAML 2.0 for Shufflrr

Contents

• Supported Features
• Configuration Steps
• Notes

---

Supported Features

The Okta/Shufflrr SAML integration currently supports the following features:

• SP-initiated SSO
• IdP-initiated SSO
• JIT (Just In Time) Provisioning
• SP-Initiated Single Logout (SLO) (optional). If you are not going to use SLO, skip the steps that are marked as [Optional SLO], and highlighted in blue font

For more information on the listed features, visit the Okta Glossary.

---

Configuration Steps

1. Login your Shufflrr account as an administrator.

2. Go to Admin > Settings, then under Authentication click + Add adjacent to SAML Sign-On.

3. Enter the following:

   1. Profile Name: Enter a name.

   2. Save the Subdomain value from the Service Provider ID field.

      For example, if your Service Provider ID is https://AcMe.shufflrr.com; your Subdomain value is AcMe.

      Note: You’ll need to enter this value in the Subdomain field under the General application tab in Okta. The Subdomain value is case-sensitive. Make sure you copy the exact value.

   3. [Optional SLO]: Service Provider Certificate: Click Download to download and save the certificate.

   4. Identity Provider Certificate: Download, then Upload the following:

      Sign into the Okta Admin Dashboard to generate this variable.

   5. Identity Provider Issuer ID: Copy and paste the following:

      Sign into the Okta Admin Dashboard to generate this variable.

   6. Single Sign-on Service URL: Copy and paste the following:

      Sign into the Okta Admin Dashboard to generate this variable.

   7. Enforce SAML Groups, Sign Authentication Request, SAML Response Signed, SAML Assertion Signed: Switch to ON.

   8. SAML Assertion Encrypted: Switch to OFF.

   9. Service Provider ACS URL: Make a note of the last part of the URL. It’s your Connection ID value.

      For example, if your Service Provider ACS URL is https://acme.shufflrr.com/login/samlassertionconsumerservice?id=12345678-abcd; your Connection ID is 12345678-abcd

   

4. [Optional SLO]: In the Single Logout section do the following:

   1. Enable Single Logout: Switch to ON.

   2. Single Logout URL and Single Logout Response URL: Copy and paste the following:

      Sign into the Okta Admin Dashboard to generate this variable.

   3. Logout Request Signed, Logout Response Signed, Sign Logout Request, Sign Logout Response: Switch to ON.

   

5. Scroll down to the bottom of the page and click Save.

6. In Okta, select the Sign On tab for the Shufflrr app, then click Edit.

   1. To pass Okta groups as part of the SAML response:

      • Select your preferred group filter from the roles drop-down list (the Regex rule with the value .* in order to send all Okta groups to the Shufflrr instance we used in our example) for the attribute.

   2. [Optional SLO]: Check Enable Single Logout.

   3. Select and Upload the Service Provider Certificate (step 3c).

   4. Scroll down to Advanced Sign-on Settings.

   5. Enter the Connection ID (step 3i) into the corresponding field.

   6. Click Save.

7. Done!

---

Notes

• Make sure that you entered the correct value from step 3b in the Subdomain field under the General tab in Okta. Using the wrong values will prevent you from authenticating via SAML to Shufflrr.




• The following SAML attributes are supported:

  Name	Value
  FirstName	user.firstName
  LastName	user.lastName
  Email	user.email
  roles	This is configured in the app UI; see groups attribute instructions (step 6) above.

SP-initiated SSO

Go to https://[your-shufflrr-subdomain].shufflrr.com and click Single Sign-On.