SAML FAQs

What SAML versions are supported?Clumio supports SAML 2.0 for Single Sign-On. Clumio does not support SAML 1.0/1.1

Can I test the SSO configuration?Clumio allows users to test the SSO configuration before rolling it out for all users.

 

When enabled, is SSO required for all users in my subscription?Yes. Currently, all users will require SSO when enabled for the organization.

My IdP broke! Can I still log into Clumio?Yes. Reach out to Clumio support organization to assist you in this scenario.

How do the regular session timeout and logout features work?There would not be any change with respect to logout and existing sessions. The tokens being issued are valid for 60 mins post which a refresh of the token is required.

When does Clumio expire the authentication tokens?Clumio expires the JSON Web Tokens (JWT) every hour, unless it’s refreshed by the end user.

Which types of certificates are supported?Clumio supports certificates as dictated by the X.509 standard.

 

Is the Federation process IDP initiated or SP initiated?Clumio only supports Service Provider initiated SSO. IdP initiated SSO is currently not supported.

Can users log into Clumio UI using API’s?Yes. They can consume our public REST APIs for performing operations on Clumio. They will need to generate API Tokens from the Clumio UI in order to access the REST API. 

Will enabling SSO cause any disruption to anything I currently do?The admins will have a slightly different experience, although similar to logging into other SaaS apps. For existing scripts/automation being used to perform operations on Clumio, the admins can continue to use their Clumio credentials to obtain tokens and use them for subsequent API calls.

Going forward, we may issue separate tokens for scripting/automation purposes, than the ones we currently do as part of login.

Is MFA supported with SSO?No. MFA and SAML SSO do not work together and cannot be enabled in the Clumio account. Clumio recommends admins to enable MFA on their IdP so that admins are only performing MFA verification only once (either via IdP or with Clumio portal directly).

 

Partner interoperability documentsThese documents provide information on integrations with IdP vendors:

  • Microsoft Active Directory Federation Services (ADFS) Integration
  • Okta Integration
  • Auth0 Integration
  • Duo Integration
  • PingID Integration
  • Azure Active Directory Integration
  • Onelogin Integration
  • Shibboleth (via Gluu)

Why am I not able to sign in to Clumio after being redirected to my IdP? This is can be caused by the following:

  • Your browser may be storing outdated login data. Clear the cache and cookies in your browser before you attempt to sign in again.
  • It's possible that your profile in the Identity Provider (IdP) being used to authenticate your information has not yet been added or needs to be updated. Partner with the IdP admin or with IT department in your organization to ensure your profile information is present in the IdP.
  • You may not have been added to the account that your domain is associated with. Contact your Clumio Backup Admin to have them add you to the Clumio account.

If the issue persists, take a screen capture of the error message you’re seeing and provide it to our Support team for further troubleshooting.

Following is a self-explanatory list of errors that can be observed on Clumio UI pertaining to single sign-on configuration:

  • "Error occurred while creating identity provider. Please ensure the metadata URL is valid and publicly accessible."
  • "Error occurred while updating identity provider. Please ensure the metadata URL is valid and publicly accessible."
  • "Unable to fetch service provider metadata. Please retry after entering identity provider details."
  • "The email of the user who initiated Single Sign-on does not match with that of the user who actually signed-in through configured Identity Provider."
  • “Error in SAML response processing: <.... Error details ...>”
  • This one has SAML-specific errors which are tied to misconfiguration on the IdP side. The troubleshooting steps would involve going through our documentation to ensure all steps have been correctly performed for the IdP in question.

What should I do when I receive a notice that my certificates are about to expire?You’ll need to have the new certificate generated by your Identity Provider (IdP) before you begin making changes in Clumio. Once that is completed, you can get the latest metadata file from your IdP and upload that in Clumio UI.

What happens when I enable the SSO for all?All admins that are currently logged into Clumio will continue to have their sessions working. Once they log out and try to log back in or a new user tries to log into the Clumio dashboard, they will be automatically redirected to the IdP configuration performed in the Clumio dashboard.

I am worried that turning on SSO will break access for all admins?Clumio understands that admins would like to try SSO configuration before turning it on for all other admins and hence, has provided an option to do so. Before the test is successful, Enable SSO option is disabled. Only after a successful SSO test is the admin able to enable SSO for all other admins. All admins will also get an email confirmation about SSO being enabled.

What happens when I update the Metadata file?All currently logged in users will continue to function as usual. Next login attempt will trigger updated login information based on the updated Metadata file information.

 

Why did I Test SSO configuration step fail while setting up SAML?The error received in this step will call out the specific problem with the testing of SSO. Here are a few examples of errors you might receive:

  • DNS validation failed.  Please make sure the DNS entry has propagated and try again
  • Domain is already associated with IdP
  • Missing SAML Metadata

You’ll need to partner with the IdP admin to adjust the metadata configuration and repeat the steps to set up SAML.

Does Clumio support multiple IdP vendors in one Clumio account?No, at the moment, Clumio only supports one IdP vendor within a Clumio account. 

Where are SAML V2.0 specification?http://saml.xml.org/saml-specifications

How do I validate SAML response xml?Please verify the xml against http://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd

How to decode SAML response?One online decoder is at: https://rnd.feide.no/simplesaml/modu...ebug/debug.php

How to track and view SAML responses?Firefox add-on saml-tracer tracks HTTPS flow, decode and parse SAML response https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

Chrome SAML Tracer: https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace?hl=en

Where can I find the Service Provider details that are required by my IdP?Service Provider information is available in the Clumio dashboard. You’ll need to go to Account Settings -> Single Sign On -> Service Provider Details.

What is the current lead time to get a SSO enabled for my subscription?Since Clumio provides a SaaS based service, there’s no lead time needed to enable the service. You can reach out to Clumio Support and SSO can be made available to you in seconds.

Does Clumio need a Logout URL?At the moment, Clumio doesn’t need a Logout URL. 

What is Timeout URL and how does timeout work with SAML implementation?Currently, if an admin has logged into Clumio dashboard, there is no activity performed for 15 minute period after which the user is logged out automatically. This is also being enhanced to allow admins to configure the inactivity period in Clumio UI. Once the user logs out of the Clumio dashboard, they are sent back to the login page. 

What information does Clumio use to identify IdP users?Clumio uses the NameID value from the SAML response to lookup the corresponding Clumio user. The "Single Sign-On ID" must be provided during user creation for SAML login to succeed. The Single Sign-On ID can be configured by editing the user in the User interface of Clumio dashboard.

Can we do user provisioning using SAML?Current Clumio SAML setup is only for authentication and not user provisioning within Clumio. Admins will need to be provisioned within Clumio dashboard before they can log into Clumio using SSO.

Can we do user authorization using SAML?Current Clumio SAML setup is only for authentication and not user authorization within Clumio. 

What IdP systems has Clumio integrated with?Current Clumio SAML setup supports Okta, ADFS and Auth0. We’re planning to quickly add more vendors like Shibboleth, Ping, Azure, Duo etc.

How can I gather SAML Trace to troubleshoot SSO related issues?From a support perspective, Clumio sometimes needs to gather data related to SAML / SSO authentication failure.

There are 2 browser-based tools, which are easy enough:

Firefox

SAML Tracer: https://addons.mozilla.org/en-us/firefox/addon/saml-tracer/

Once installed will appear like following screenshot and need to be opened while doing the SSO Connection: 

The data you need to collect is found as a POST*, under the SAML tab:
1.png2.png

Chrome

SAML Tracer: https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace?hl=en

Once installed this will add a tab on your Developers Tool in Chrome, and again, you will find a POST* and you will have to look at the SAML tab:

3.png

I don’t have a Metadata file? What can I do?
Some IdP vendors only provide a metadata URL where the file is hosted. In such cases, admins can download the file by visiting the URL and saving it in XML format. Once saved, admins can upload it in Clumio UI.

If I have multiple Clumio logins, how does Clumio know when to perform SSO?SSO is configured based on the email address of the admin. If the login email has SSO configured, admin will be asked to authenticate using IdP. If the login email doesn’t have SSO enabled, then the Clumio UI will ask the admin to enter the password.

What happens when I disable the SSO configuration?
Currently logged in admins will continue to keep using their session. Upon next login attempt, or a new user trying to log into the service, they (admins) will be asked to configure their password based on the password reset flow. All admins will also get an email confirmation about SSO being disabled

 

My IdP is not listed in the supported IdP vendors list from Clumio. What should I do?Go ahead and contact the Clumio support. 

My user is getting an error as not authorized after logging into my IdP?This issue would mostly be due to the lack of user permissions in the Identity Portal for the Clumio Service Provider. Ensure that you’ve added the user for the Clumio app.

I’d like to change my IdP. What should I do?You’ll need to disable SSO before changing your IdP. Once SSO is disabled, edit the vendor name and the configuration, followed by testing the configuration. Once the test is successful, you can go ahead and enable it again for your new IdP. All admins will also get an email confirmation about SSO being disabled.