Overview
When licensing Aperian for your organization, you have options as to how your users will access the Aperian platform: email validation or SAML 2.0 single sign on. This article will explain each option in detail. Please contact your Client Success Manager to discuss any specific questions.
SAML 2.0 Overview
Aperian supports SAML 2.0. SAML methodology is based around the exchange of a secure encrypted token that contains basic user information such as first name, last name, and email address. Aperian offers two methods of SAML authentication: Identity Provider Initiated and Service Provider Initiated.
Service Provider Initiated Authentication (SP-initiated)
Service Provider initiated (SP-initiated) authentication is a method of SAML authentication where the service provider (Aperian) creates a SAML request, forwards the user and the request to the Identity Provider (IDP, usually the client's intranet), and once the user has authenticated, receives a SAML response and assertion from the IDP.
If a client chooses to use this method of authentication, the end user process will be as follows:
- End user navigates to a client-specific URL
- This URL redirects to the identity provider (usually the client intranet)
- If logged in, user is brought to Aperian Dashboard
- If not logged in, user is prompted to log in to their identity provider and then brought to Aperian Dashboard.
Identity Provider Initiated Authentication (IDP-initiated)
Identity Provider Initiated (IDP-initiated) authentication is another method of authentication available to Aperian clients. IDP-initiated authentication means that the client's platform will create the encrypted user information and send it to the Aperian platform.
If a client chooses to use this method of authentication, the end user process will be as follows:
- End user navigates to a page within their organization's IDP system that includes a button to Aperian
- User clicks the button and is brought to the Aperian Dashboard
Other SAML Functionality
Aperian system supports auto-provisioning (i.e. new users will be created if they do not already exist). We do not support "auto updating". This responsibility falls on the user given the character of the application. For example, if the user's name or demographics change within their company intranet, our system does not automatically update this information, even if new values for these fields are sent as part of the SAML packet. It would be the user's responsibility to make these updates themselves, or to request assistance from Aperian technical support if they're unable to do so themselves for whatever reason.
The Aperian system supports use of the RelayState value where a SAML packet can include a destination URL, allowing the user to log in and be redirected to a specific URL in one action.
Supported SAML Functionality Summary
- Service Provider Initiated: Aperian creates a SAML request, and receives a SAML response and assertion from the IDP
- Identity Provider Initiated: The client system creates the encrypted assertion and sends to our system
- Auto-provisioning: If a client’s assertion is for a non-existent user account, a user account is created immediately based on that information.
- RelayState
Not Supported SAML Functionality Summary
- Auto-deprovisioning: If a user’s account is deleted or expired on the client side, this information is not sent to our system to delete/expire the account in our database
- Auto-updating: If a user’s name or email address is updated on the client side, this information is not automatically sent to our database.
Is SAML right for your organization? (A checklist)
- Does your organization already have a platform that can serve as the IDP? (e.g. an intranet or LMS that includes a database full of user info?)
- Does your IDP platform support sending SAML 2.0 data?
- (Recommended) Has your organization successfully set up a SAML 2.0 connection to another vendor's system before?
Aperian's platform can decrypt SAML assertions, and while the technical team at Aperian can troubleshoot issues with those SAML assertions, we do not provide documentation for how to build a SAML-ready code base or how to identify/select an IDP if your organization does not already have one.
SAML Account set up
To set up new accounts, Aperian requires the following information from the client for both the development environment and the production environment (described below):
- x509 Certificate
- A redirect URL (i.e. The URL your users will use to access SAML: If one of your employees doesn't know where they can go to access Aperian, what URL should we send them to?)
- Attributes: The client system will need to pass Aperian the following case-sensitive attributes:
- email <-- This is the NameID in our system, used to identify unique users
- firstName
- lastName
Aperian will send the following information to the client as part of set-up:
- A unique SAML consumer/assertion URL
- An XML metadata packet
Development Environment
Aperian utilizes a pre-production environment for all development and testing. We'll set up SAML in this environment for testing and troubleshooting and once we've had a successful test, we'll move on to setting up the same access in the production environment.
Production Environment
Once the process has been confirmed in the pre-production environment, the client and Aperian will begin the same implementation in the production environment. All of the pieces listed in "Account set up" must be in place.
The URL for the production environment is provided once testing on the development environment has been a success.
Email Validation Overview
Email validation allows users to go to the Aperian site (https://app.aperian.com) and register for new accounts (or log in to existing accounts) using their work email address and a password they create.
To implement this, the client will need to supply Aperian with a list of all the email domains that the client owns. As long as the licensing organization owns more than 50% of the subsidiary, the affiliated domains can be included under the license. Aperian will load the domains into our administrative system. When a user with one of these email domains registers for a new account, they will be directed to the proper account in our system and receive the full level of access afforded to the client.
Process for new end users
- User goes to https://app.aperian.com, clicks Sign Up, enters their corporate email address and selects a password.
- Passwords must have a minimum ten (10) characters; utilize lowercase (a-z), upper case (A-Z), numbers (0-9) and special characters (!@#$%^&*); and contain no more than 2 identical characters in a row.
- User continues to the Dashboard
- Note: If a user cannot remember the password, they must use the Forgot your Password? feature to reset it. After five (5) unsuccessful login attempts, their account will be locked. They will need to contact support@aperian.com to unlock the account.
Process for returning end users
- User goes to https://app.aperian.com; enters email address and the password they created when signing up
- User can then log in and is brought to the Dashboard
- Note: If a user cannot remember the password, they must use the Forgot your Password? feature to reset it. After five (5) unsuccessful login attempts, their account will be locked. They will need to contact support@aperian.com to unlock the account.
Changes to Corporate Email Domains and Naming Conventions
As part of regular maintenance, Aperian can add new domains to enterprise accounts at any time, free of charge, to ensure users are always routed to the correct account in Aperian. If needed, Aperian can update existing user accounts under old domains or email naming conventions for a development fee. Please speak with your Client Success Manager to discuss the required changes.