Setup Single Sign On (SSO) with SAML
Last updated
Last updated
EC3 supports integration with various (IdP) who implement the SAML protocol. If your organization has a compatible, centralized user management system like Microsoft Entra ID, Active Directory or Google Workspaces this integration will enable your users to log into all BuildingTransparency services with your corporate authentication server. You can configure your server to decide which groups of users are eligible to login into EC3.
This section explains the complete flow for setting up a Single Sign-on (SSO) integration for Building Transparency products with SAML based . The configuration process requires actions by the EC3 engineering team and yourselves.
Before you start:
You have an EC3 subscription that supports SSO integration. (contact sponsorship@buildingtransparency.org)
Ensure you have access and permissions to change SAML configuration with your identity provider
You have received the following from BuildingTransparency:
Issuer/Identifier/Entity ID, for example “Entity ID: https://auth.buildingtransparency.org/source/saml/acme-saml”
ACS/Reply URL/Assertion Consumer Service, for example: “Reply URL (ACS): https://auth.buildingtransparency.org/source/saml/acme-saml/acs/”
Microsoft Entra ID (formerly Azure AD, Azure Active Directory)
click + New application to display the Browse Microsoft Entra ID Gallery, and
click + Create your own application. The Create your own application side panel is displayed.
Select Integrate any other application you don’t find in the gallery (Non-gallery)
click Create.
Open your newly created application.
From the left navigation panel select Single sign on
Select SAML from the list of the proposed authentication options
Locate the Basic SAML Configuration section and click 3 dots icon in the right top corner; Choose Edit from the drop down menu.
The Basic SAML Configuration side panel is displayed.
Set Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL). You should ask Building Transparency support for this values. Click Save and close side panel.
Depending on the settings of your organization the attribute mapping might be slightly different. This guide assumes you use email as a user identifier and you didn't do any changes to the standard user fields.
In section 2 "Attributes & Claims" click three dots icon and then Edit item from dropdown menu
Attribute Mapping dialog will appear
Click on the Unique User Identifier field and make sure the configuration matches the screenshot below:
For each of the additional claims set mapping as per picture below. IMPORTANT: You must remove the namespace from each of the fields:
Repeat this procedure for each field so you have the following mapping:
user.mail
first_name
user.givenname
last_name
user.surname
name
user.displayname
The final result should look like this:
Close the dialog to return back to your SAML app configuration.
Once you have configured your application, you will need to collect your application identifiers and certificate. You will be sending this information to Building Transparency.
In Section 3 "SAML Certificates". Locate field Certificate (Base64) and click Download
In section 4 "Set up" locate Login and Logout URLs and copy values
Send the following information to your contact at Building Transparency:
SAML Login URL
SAML Logout URL
Certificate in Base64 format
You can either allow anyone in your organization to use this app or configure strict rules to enable access for the selected users.
To allow access for everyone within your organization:
Open Properties from the left navigation menu on your SAML app page
Select Assignment required = No
To restrict access for specific group or users:
Navigate to Users and Groups from the left navigation menu of your SAML app page.
Select Add user/group and configure access as needed
Building Transparency engineers will update configuration with the data you supplied and let you know when you can start testing the integration.
