SAML 2.0 provider

SAML is an open-standard format for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). As a service provider, Relativity supports SAML IdP-initiated single sign-on (SSO). SP-initiated SSO is not supported. Relativity uses SAML assertions (tokens) to verify the users mapped to the identity provider.

SAML assertions contain information on the identity of the individual who has logged in. Assertions also contain the identity provider issuing the assertion, known in Relativity as the Issuer URL. Each Assertion is typically prepared for a specific receiver, known as the Audience. Assertion protect this information by cryptography signing it. An Assertion is only valid if it is from a known Issuer URL to the expected Audience and correctly signed.

Considerations

  • SAML assertions must be cryptographically signed for Relativity to verify their authenticity. Make sure your SAML IdP is configured accordingly.
  • You can use Relativity with any SAML 2.0-compliant IdP, such as Centrify, Okta, Microsoft Active Directory Federation Service (ADFS), or OneLogin.
  • RelativityOne only supports the RSA-SHA256 assertion signing algorithm.
  • After saving the Authentication provider for the first time, the system generates the Redirect URL. Placeholder values may need to be added to the third-party Authentication setup before obtaining this value.

Configuring a SAML 2.0 authentication provider

To add a SAML 2.0 authentication provider, complete the fields below.

Authentication Provider Information

  • Name—enter a user-friendly name for the authentication provider.
  • Provider Type—select SAML2.
  • Enabled—the provider is enabled by default, but you can disable it.
  • Site URL—set the URL that users enter in the browser to access an instance of Relativity.

Authentication Provider Settings

  • Audience—the unique identifier of the service provider (SP). We recommend using the same value as your Site URL.
  • Issuer URL—the unique identifier of the identity provider (IdP).
  • Certificate—an x509 certificate provider by the identity provider.
  • Subject Claim Type (Optional)—The attribute in the SAML subject used to validate the login. We recommend to leave this blank.

Configuring specific SAML providers

The following sections provides the guidelines for integrating Relativity with Okta and ADFS.