Single Sign On

This is the official documentation of Forest Admin Cloud.

Forest Admin supports the SAML 2.0 specifications, enabling seamless integration with various Identity Providers (IdPs). Tested and documented platforms include Okta, OneLogin, Google, and Azure Active Directory IdPs.

Before initiating the Single Sign-On (SSO) configuration process, it is imperative to ensure that you are operating within an organizational context rather than a personal space. Within the organization settings, navigate to the security tab to access the SSO configuration. Once in the appropriate section, the first step involves declaring Forest Admin in your Identity Provider. Utilize the information presented in the grey panel to seamlessly integrate Forest Admin within the authentication framework of your Identity Provider.

SettingsDescriptionValue

Callback URL (Assertion Consumer Service URL)*

Assertion Consumer Service URL is responsible for receiving the SAML response

https://api.forestadmin.com/api/saml/callback

Sign on URL*

Sign on URL

https://api.forestadmin.com/api/saml/callback

Logout URL

Redirected to this location after logout

https://app.forestadmin.com/login (⚠️ Or your custom domain if you use one)

Audience (EntityID)

Named SP Entity ID in Forest Admin

Value is displayed in the Forest Admin settings

Set up Forest Admin with the Identity Provider Metadata by opting for either XML file upload or XML file endpoint. Choose to either upload a file containing the authentication details, which can be generated within your Identity Provider, or manually input the endpoint where such a file is accessible (some Identity Providers offer this feature).

XML file input

Manual input

Opt for manual input if preferred. In this case, you will manually input your authentication information, which requires providing a Login endpoint, a Logout endpoint, and, lastly, a valid certificate.

Click on "Test configuration" to attempt authentication. Your setup is now complete, and the final step is to proceed by activating the newly configured SSO authentication method.

Following the activation of SSO, all users will be mandated to log in once more. Ensure that users are informed of this requirement to prevent any potential disruption in access.

IdP-Initiated Login (Optional and not recommended)

Before proceeding, it's imperative to understand the following security considerations related to IdP-Initiated Login. Enabling this feature introduces a security risk associated with Cross-Site Request Forgery (CSRF) within the SAML protocol. Users are advised to exercise caution and carefully consider the potential security implications.

Following the activation of Single Sign-On (SSO), the option to enable IdP-initiated login becomes available, allowing users to be automatically logged in when accessing Forest Admin from your identity provider dashboard. To configure this feature, set a default Relay state on your identity provider using the specified format (or URL encoded, depending on the IdP):

{
  "organizationName": "OrganizationName",
  "destinationUrl": "organization.projects"
}

However, it is crucial to emphasize that IdP-Initiated SSO introduces a security risk associated with Cross-Site Request Forgery (CSRF) in the SAML protocol. Users must thoroughly understand that this risk is inherent to the SAML protocol itself and not specific to Forest Admin. Exercise caution and ensure users are informed about the potential security implications before choosing to enable IdP-initiated login.

Last updated