HappyFox provides Secure Assertion Markup Language (SAML), which allows you to provide single sign-on (SSO) for your HappyFox account using identity providers such as Azure Active Directory, Onelogin, Okta, Smartsignin or a SAML compatible app that you host on your own. Single sign-on using SAML is available on Mighty plan and above.
HappyFox allows you to use SAML to authenticate and log in to both agent and contacts.
Steps to Configure a Custom SAML SSO:
- Navigate to Apps >> Single Sign-on >> Custom SAML Method.
- HappyFox needs the following information to be entered in our SAML Integration page
- The URL to be redirected to when someone clicks on the Login with SAML button in HappyFox (SSO Target URL).
- The SAML certificate from your SAML server. X.509 certificates are supported and should be in PEM format.
- Additionally, you can specify if you would want agents and/OR end-users to authenticate their login using SAML.
- Enable the "Map Custom Field values from SAML option to synchronized contact custom fields with the identity provider. Learn more.
- You can disable the traditional username/password login method by enabling the "Disable Standard login for agent/contact" toggle.
Note: Only one SAML based Single Sign On integration can be active at a time, in a HappyFox helpdesk account.
Things to remember:
- Customers/Users/Contacts are expected to login into the contact portal and agent members are expected to login into agent portal. The right URL should be shared with concerned parties.
- Agents logging in for the first time will need to be approved by an administrator from the Manage > Pending SSO Agents tab.
- The custom domain in HappyFox (if present) needs to be SSL enabled in order to work with SAML based SSO integrations like Classlink.
Enable Encrypted SAML assertions:
You can also encrypt your SAML assertions for added security. To know more about this feature, click here.
The SAML server might require the following information:
-
The Access Consumer Service (ACS) URL is
https://<accountname>.happyfox.com/saml/callback/. If you only need to authenticate agent members, you can use https://<accountname>.happyfox.com/staff/saml/callback/.
Note:
#1 - If you are using more than one SAML integration in HappyFox, then the ACS callback url for custom SAML should be
https://<account-name>.happyfox.com/saml/custom-saml/callback/ or https://<account-name>.happyfox.com/staff/saml/custom-saml/callback/
#2 - If you are using custom domain on your HappyFox help-desk, ensure to include the ACS url in both custom domain format and in default HappyFox url format
2. Destination attribute of SAML Response should be https://<accountname>.happyfox.com/saml/callback/. If you only need to authenticate agent members, you can use https://<accountname>.happyfox.com/staff/saml/callback/.
a. The recipient attribute of Subject Confirmation Data should be https://<accountname>.happyfox.com/saml/callback/. If you only need to authenticate agent members, you can use https://<accountname>.happyfox.com/staff/saml/callback/.
b. SPNameQualifier (optional) attribute of NameID should be https://<accountname>.happyfox.com/saml/client-metadata/. If you only need to authenticate agent members, you can use https://<accountname>.happyfox.com/saml/metadata/
c. The NameID format should be urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress. This email address is used to match and/or create the agent or contact as necessary in HappyFox. With this attribute, the name and email ID of the user will be pulled in from the SAML identity provider into HappyFox.