SAML FAQs
What SAML versions are supported?
Clumio supports SAML 2.0 for Single Sign-On. Clumio does not support SAML 1.0/1.1
Can I test the SSO configuration?
Clumio allows users to test the SSO configuration before rolling it out for all users.
When enabled, is SSO required for all users in my subscription?
Yes. Currently, all users will require SSO when enabled for the organization.
My IdP broke! Can I still log into Clumio?
Yes. Reach out to Clumio support to assist you in this scenario.
How do the regular session timeout and logout features work?
There is no change with respect to logout and existing sessions. The tokens issued are valid for 60 minutes after which a refresh of the token is required.
When does Clumio expire authentication tokens?
Clumio expires JSON Web Tokens (JWT) every hour, unless refreshed by the end user.
Which types of certificates are supported?
Clumio supports X.509 standard certificates.
Is the Federation process IDP initiated or SP initiated?
Clumio only supports Service Provider initiated SSO. IdP initiated SSO is currently not supported.
Can users log into Clumio UI using API’s?
Yes. Users can consume our public REST APIs for performing operations on Clumio. You must generate an API token from the Clumio UI in order to access the REST API.
Will enabling SSO cause any disruptions to anything I currently do?
The admins will have a slightly different experience, although similar to logging into other SaaS apps. For existing scripts/automation being used to perform operations on Clumio, the admins can continue to use their Clumio credentials to obtain tokens and use them for subsequent API calls.
Going forward, we may issue separate tokens for scripting/automation purposes, than the ones we currently do as part of login.
Is MFA supported with SSO?
No. MFA and SAML SSO do not work together in Clumio, you can only enable one or the other. Clumio recommends administrators enable MFA on their IdP so as to perform MFA verification only once, either via IdP or with the Clumio portal directly.
Why am I not able to sign in to Clumio after being redirected to my IdP?
This may be due to the following:
- Your browser may be storing outdated login data. Clear the cache and cookies in your browser before you attempt to sign in again.
- It's possible that your profile in the Identity Provider (IdP) being used to authenticate your information has not yet been added or needs to be updated. Partner with the IdP admin or with IT department in your organization to ensure your profile information is present in the IdP.
- You may not have been added to the account that your domain is associated with. Contact your Clumio Backup Admin to have them add you to the Clumio account.
If the issue persists, take a screenshot of the error message you’re seeing and provide it to our Support team for further troubleshooting.
The following is a self-explanatory list of single sign-on configuration errors that can be observed on the Clumio UI:
- "Error occurred while creating identity provider. Ensure the metadata URL is valid and publicly accessible."
- "Error occurred while updating identity provider. Ensure the metadata URL is valid and publicly accessible."
- "Unable to fetch service provider metadata. Retry after entering identity provider details."
- "The email of the user who initiated Single Sign-on does not match with that of the user who actually signed-in through configured Identity Provider."
- “Error in SAML response processing: <.... Error details ...>”:
These are SAML-specific errors which are tied to misconfiguration on the IdP side. As a first step towards troubleshooting such an issue, refer to our documentation to verify that you have correctly configured the IdP in question.
What should I do when I receive a notice that my certificates are about to expire?
You’ll need to have the new certificate generated by your Identity Provider (IdP) before you begin making changes in Clumio. Once that is completed, you can get the latest metadata file from your IdP and upload that to the Clumio platform.
What happens when I enable the SSO for all users?
All administrators currently logged on to Clumio will continue to have their sessions working. When they log out and try to log back in or a new user tries to log in, they are automatically redirected to the IdP configuration performed in the Clumio dashboard.
Will turning on SSO will break access for all administrators?
Clumio understands that administrators would like to try SSO configuration before turning it on for all other administrators and has provided an option to do so. Before the test is successful, the Enable SSO option is disabled. Only after a successful SSO test is an administrator able to enable SSO for all other administrators. All admins also receive an email confirmation that SSO has been enabled.
What happens when I update the metadata file?
All currently logged in users will continue to function as usual. The next login attempt will trigger an updated login requirement based on the updated metadata file information.
Why did the Test SSO configuration step fail while setting up SAML?
An error received at this step will call out the specific problem with the testing of SSO. Here are a few examples of errors you might receive:
- DNS validation failed. Make sure the DNS entry has propagated and try again
- Domain is already associated with IdP
- Missing SAML Metadata
You’ll need to partner with the IdP administrator to update the metadata configuration and repeat the steps to set up SAML.
Does Clumio support multiple IdP vendors in one Clumio account?
No, at the moment, Clumio only supports one IdP vendor within a Clumio account.
Where can I find the SAML V2.0 specification?
http://saml.xml.org/saml-specifications
How do I validate SAML response xml?
Verify the xml against http://docs.oasis-open.org/security/saml/v2.0/saml-schema-protocol-2.0.xsd
How do I decode the SAML response?
There are many options available to decode an encoded SAML response. Here is one online decoder: https://rnd.feide.no/simplesaml/modu...ebug/debug.php
How do I track and view SAML responses?
Here are some options:
- Firefox add-on
saml-tracer
tracks HTTPS flow, decodes, and parses SAML responses. https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/ - Chrome SAML Tracer: https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace?hl=en
Where can I find the Service Provider details that are required by my IdP?
Service Provider information is available on the Clumio dashboard. You’ll need to navigate to Administration > Access Management > Authentication (SSO/MFA) and expand the Show Clumio Serive Provider details link.
What is the current lead time to get a SSO enabled for my subscription?
Since Clumio provides a SaaS based service, there’s no lead time needed to enable the service. You can reach out to Clumio Support and SSO can be made available to you in seconds.
Does Clumio need a logout URL?
At the moment, Clumio does not need a logout URL.
What is a Timeout URL and how does timeout work with SAML implementation?
Currently, if an administrator has logged on to the Clumio dashboard and there is no activity performed for a 15 minute period, then the user is logged out automatically. Administrators are also able to configure the inactivity period in Clumio. Once a user logs out of Clumio, they are sent back to the login page.
What information does Clumio use to identify IdP users?
Clumio uses the NameID value from the SAML response to lookup the corresponding Clumio user. The "Single Sign-On ID" must be provided during user creation for SAML login to succeed. The Single Sign-On ID can be configured by editing the user in the User interface of Clumio dashboard.
Can we provision users using SAML?
The current Clumio SAML setup is only for authentication and not user provisioning within Clumio. Administrators will need to be provisioned within Clumio before they can log into Clumio using SSO.
Can we authorize users using SAML?
The current Clumio SAML setup is only for authentication and not user authorization within Clumio.
What IdP systems has Clumio integrated with?
Current Clumio SAML setup supports Google, Okta, Duo AD FS, Auth0., OneLogin, Azure, and Shibboleth
How can I gather SAML Trace to troubleshoot SSO related issues?
Clumio support sometimes needs to gather data related to SAML / SSO authentication failure.
There are 2 browser-based tools, which are easy to use:
Firefox
SAML Tracer: https://addons.mozilla.org/en-us/firefox/addon/saml-tracer/. The data you need to collect is found as a POST*, under the SAML tab:
Chrome
SAML Tracer: https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace?hl=en
Once installed this will add a tab on your Developers Tool in Chrome. You will find a POST* and you will have to look at the SAML tab:
What do I do if I don’t have a Metadata file?
Some IdP vendors only provide a metadata URL where the file is hosted. In such cases, administrators can download the file by visiting the URL and saving it in XML format and then upload it to Clumio.
How does Clumio know when to perform SSO if I have multiple Clumio logins?
SSO is configured based on the email address of the admin. If the login email has SSO configured, the user is asked to authenticate using IdP. If the login email doesn’t have SSO enabled, you are prompted to enter your password.
What happens when I disable SSO configuration?
If SSO is disabled, currently logged in users continue to keep using their session. Upon the next login attempt, or a new user trying to log into the service, will be asked to configure a password based on the password reset flow. All users will also get an email confirmation that SSO has been disabled
What should I do if my IdP is not listed in the supported IdP vendors list from Clumio?
Contact Clumio Support.
Why is a user from my organization getting a "not authorized" error after logging into my IdP?
This may be due to the lack of user permissions in the Identity Portal for the Clumio Service Provider. Ensure that you’ve added the user for the Clumio app.
I’d like to change my IdP. What should I do?
You need to disable SSO before changing your IdP. Once SSO is disabled, edit the vendor name and the configuration, and then the configuration. If the test is successful, you can go ahead and enable it again for your new IdP. All users will also get an email confirmation that SSO has been disabled.
Partner interoperability documents
These articles provide information on integrations with IdP vendors:
- Microsoft Active Directory Federation Services (ADFS) Integration
- Okta Integration
- Auth0 Integration
- Duo Integration
- PingID Integration
- Azure Active Directory Integration
- Onelogin Integration
- Shibboleth (via Gluu)
Contact [email protected] with any questions or clarifications.
Updated 9 months ago