Skip to main content

Configure Single Sign-On

Stax integrates with your Corporate ID using SAML. This allows you to bring your own identities and identity management controls to the Stax platform. Stax supports a few different SAML providers, but it should work with just about any SAML provider using the details below.

See About Identity and Access for more details about the Stax Identity Service.

Choose Your Provider

If you use one of the Identity Providers below, choose detailed instructions that can help you:

If you don't use one of the providers above, you'll need to work with your identity team and provide them the federation information detailed below.

Before You Begin

  • Ensure you are a member of the Admin role in your Stax tenancy

Service URIs

Stax generates your SAML URIs from a well-known format, so you can deduce what they'll be in advance. First, you'll need to determine your organization alias and your short installation ID.

Your organization alias is the same as you enter at the Stax console login page. In the graphic below, the organization alias is stax-demo.

Screen Shot 2023-08-25 at 2.03.20 pm.png

Your short installation ID can be derived from the Stax Installation Region your Stax tenancy is based in. You can see the installation by choosing the drop-down next to your organization alias once logged into the Stax console. From there, review the Stax Installation Region document to determine your short installation ID.

Once you've determined your organization alias and short installation ID, you can form the URIs required for SAML setup:

URIFormatExample
Entity IDhttps://id.security.<organization-alias>.<short-installation-id>.staxapp.cloud/auth/realms/masterhttps://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master
SAML 2.0 Service URL<entity-id>/broker/saml/endpointhttps://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master/broker/saml/endpoint

Claims

URITemplateExample
NameIDUnique identifier for the userThe NameID claim must contain the Format attribute with a value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent. See section 8.3 of Assertions and Protocols for SAML 2.0 for more information.
emailEmail address of the userUsed for sending notifications and alerts to the user.
firstNameFirst name of the userUsed for display purposes within the application.
lastNameLast name of the userUsed for display purposes within the application.
RoleStax role: customer_admin, customer_operations, customer_costadmin, customer_user, customer_readonlyThe level of access to be granted to the user upon sign-in

See Permissions in Stax for more information on Stax roles.

Other Information

Your SAML IdP may require some more information:

  • Token Signing Hash Algorithm: SHA-256
  • Token Encrypting Certificate: Not required

Configuring Stax to allow SAML Sign In

When you're ready to have Stax configured, you will need to raise a support case with either your SAML metadata file or ACS URL of your SAML IdP, as well as your SAML 2.0 Service URL.

Once SAML is configured on your Stax tenancy, the support team will be in touch to let you know that it's ready to be tested.

How do you know this worked?

note

At this time, Stax does not support IdP-initiated sign-ins. You must use SP-initiated sign-in to access Stax.

Next time you navigate to your Stax Console login page, on the top, you'll see a new Continue with Corporate ID button. Clicking this button will take you to your SAML sign-in page. Log in to the IdP and you'll be signed into your Stax tenancy.

Screen Shot 2023-08-25 at 1.40.06 pm.png