Single Sign-On

JESI Company Accounts now have the opportunity to have Single Sign-On activated.

Single sign-on (SSO) in enterprise refers to the ability for employees to log in just one time with one set of credentials to get access to all corporate applications, websites, and data for which they have permission. SSO solves key problems for the business by providing: Greater security and compliance

SAML 2.0 Compliant Identity Provider Configuration

Security Assertion Markup Language (SAML) is an open standard to securely exchange authentication and authorization data between an enterprise Identity Provider and JESI (the Service Provider)

SAML 2.0 Sign-On Experience

JESI currently supports the Identity Provider Login experience

Identity Provider Initiated Login Experience

With the Identity Provider initiated login experience, users directly access the enterprise’s login manager and sign in to confirm their identity. The enterprise’s Identity Provider sends the SAML2 response directly to the JESI platform. The user is logged in and redirected to the JESI application where they can access resources without requiring further authentication

SAML responses will be matched to pre-configured JESI accounts by an email address attribute assertion. JESI accounts will only be matched if they reside within the context of the configured Identity Provider

Service Provider Initiated Login Experience

Note: Service Provider (SP) initiated enterprise logins are expected to be supported in the future. The experience will differ from Identity Provider Initiated

Single Logout (SLO) Experience
JESI supports the SAML2 Identity Provider initiated Single Logout flow to terminate active user session(s)

Note: Logging out of JESI will terminate the user’s current session and will require re-authentication for access. JESI does NOT support Service Provider initiated SLO

Joining the Organisation Automatically
JESI currently requires user accounts to be created and activated within the JESI platform prior to access being granted via an enterprise Identity Provider

Note: Just in Time (automatic) provisioning of JESI accounts will be supported in the future. Currently, users must have an account set up prior to using SSO (at this stage, the simplest way to do this is to import users)

Configure your JESI access with a SAML Identity Provider

JESI Service Provider Configuration

For configuration within an identity provider, the following settings should be used

Setting	Description	Value
Entity ID	JESI Service Provider Entity ID	https://api.jesi.io/
Metadata URL	XML document containing information necessary for interaction with SAML-enabled identity providers. The document contains e.g. URLs of endpoints, information about supported bindings, identifiers and public keys.	https://apiv2.jesi.io/sso/saml2/metadata
Reply/ACS URL	The reply URL will be the destination in the SAML response for IDP-initiated SSO.	https://apiv2.jesi.io/sso/saml2/acs HTTP-POST
Logout URL	URL to send the SAML Logout response back to the application.	https://apiv2.jesi.io/sso/saml2/logout HTTP-POST
Login URL	URL contains the sign-in page for this application that will perform the service provider-initiated single sign-on.	Not currently available
Authn Requests Signed	Service Provider requests will be signed	true
Want Assertions Signed	Identity Provider Assertion responses will be signed	true
Encrypted Assertions	JESI supports encrypted SAML2 assertion responses. The Identity Provider can optionally encrypt the assertion portion of the SAML2 responses. All SAML2 traffic to and from the JESI platform is already encrypted using HTTPS, but this adds another layer of security.	optional

Identity Provider Configuration Required by JESI
For configuration within JESI, the following settings need to be provided.

Setting	Description	Optionality
Entity ID	This will be the audience of the SAML response for IDP-initiated SSO.	Required
X509 Certificate	BCertificate, encoded in the BASE 64 format, for the enterprise Identity Provider. This is the certificate that allows JESI to verify the digital signature in the SAML responses sent to it from the enterprise Identity Provider.	Required
Login URL (Redirect)	Identity Provider’s Login URL (that supports HTTP Redirect binding) that JESI should use to allow a member to sign in. Used in the future to enable Service Provider Initiated Login	Optional
Login URL (HTTP-POST)	BIdentity Provider’s Login URL (that supports HTTP POST binding) that JESI should use to allow a member to sign in. Used in the future to enable Service Provider Initiated Login	Optional

Contact the administrator of the Identity Provider if you need help determining which source of metadata information you need to provide.

User Attributes and Claims

JESI requires the following attribute information to be received from the Identity Provider when a user signs in.

Claim Name	Description	Optionality
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	Unique User Identifier. Persisted to support Identity Provider logout requests.	Required
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress	User’s Email address. Used to match to an enabled JESI account.	Required
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname	User’s Given Name. Will be used in the future for Just in Time provisioning.	Required
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname	User’s Surname. Will be used in the future for Just in Time provisioning.	Required
http://jesi.io/sso/saml/2021/01/identity/claims/title	User’s Position Title. Will be used in the future for Just in Time provisioning. Missing values will be prompted for completion by the user prior to account provisioning.	Optional
http://jesi.io/sso/saml/2021/01/identity/claims/mobilenumber	User’s Position Title. Will be used in the future for Just in Time provisioning. Missing values will be prompted for completion by the user prior to account provisioning.	Optional

Note: The mobilenumber claim will be used in the future to enhance the just-in-time account provisioning.