Integration Guide

SSO Integration Process

Overview

This document outlines the steps to integrate customers with external SSO providers using the SAML protocol. The process leverages Keycloak as the central authentication system and provides secure and seamless access to the platform.

The SAML SSO integration ensures:

  • Secure authentication using the customer’s Identity Provider (IdP)

  • A streamlined login experience for customer users

  • Attribute mapping for user provisioning and access control

Steps for Integration

Pensa to Share SAML SP Metadata

  • Pensa to provide the prepared SAML SP metadata to the customer

  • Customer to configure this metadata in their IdP with:

    • Assertion Consumer Service (ACS) URL

    • Attribute mapping for email, username, firstName, and lastName

    • Signed assertions and responses

Request Customer's SAML IdP Metadata

  • Customer to provide the SAML IdP metadata in XML format.

  • Customer to validate the metadata for:

    • entityID

    • SingleSignOnService URL

    • SingleLogoutService URL (optional)

    • Signing certificate

Validate SSO Integration

  • Pensa and customer to test the integration using test credentials provided by the customer.

  • Both customer and Pensa to validate:

    • Successful login via the customer’s IdP

    • Correct attribute mapping in the platform

    • Proper redirection and logout functionality

User Login Workflow

  • Once the configuration is complete, users can log in using their corporate SSO credentials.

Steps for Users:

  1. Open the Pensa Mobile App

  2. Input the full email address in the login field

  3. Based on the configured email domain:

    1. The user will be redirected to their organization’s SSO authentication page (e.g., Cognito for pensasystems.com users).

  4. Log in using the credentials provided by the customer’s SSO provider.

Result: Upon successful authentication, the user will be redirected back to the Pensa Mobile App.

Note: AWS Cognito is configured as a default SSO configuration for Pensa users so they could also log in with their username. For SSO providers other than AWS Cognito, users must enter their full email address for proper redirection to their respective SSO login page.

If there are any issues or questions, please email: [email protected]

Was this helpful?