The Goal: Configure GrowthZone as the SAML SSO identity provider so members can use an InfoHub link to seamlessly access a third-party service (for example, a vendor journal or portal).
Before You Begin:
- SAML SSO documentation from the service provider/vendor (Issuer/Entity ID and at least one Assertion Consumer Service / Authorized Redirect URL).
- FusionAuth Prod access. Setting up the Identity Provider requires elevated access — Platform Integrations cannot reach that area, so coordinate with Jason M. or another authorized staff member.
- The customer’s association URL and, where applicable, OAuth Client Id, Secret, and endpoints.
There are some situations in which GrowthZone can act as identity provider for a SAML SSO configuration. The steps below serve as guidelines for future setups, which will vary in the details and exact configuration. One working example is GZ 4594, American College of Medical Toxicology (ACMT), where a link was configured in their InfoHub for member access to their Journal of Medical Toxicology.
Step-by-Step Instructions
- Obtain SAML SSO documentation from the service provider. In the ACMT example, this was Springer Nature: https://librarian.springernature.com/single-sign-on
- In FusionAuth Prod, create a new application using the naming convention [GrowthZone] - {Customer Name/Acronym}: {Vendor Name/Acronym}. For example, the application for the American Journal of Medical Toxicology is [GrowthZone] - ACMT: Springer Nature. The Tenant will be GrowthZone (or MemberSuite as needed). In the application’s SAML tab, enter the Issuer/Entity ID provided by the vendor, plus at least one Authorized Redirect URL / Assertion Consumer Service (ACS). Be sure to save the application after making entries or updates.
- Depending on the vendor’s SSO documentation or needs, you may need to provide them with the metadata URL and Entity Id created in the FusionAuth application in the previous step. After the vendor confirms they have loaded the metadata and info into their system, proceed to the next step.
- Create an Identity Provider in FusionAuth. Platform Integrations does not have access to that area of FusionAuth, so Jason M. or someone else will need to assist with setting up an Identity Provider. For the ACMT example, the Identity Provider was configured using a Client Id and Secret and OAuth endpoints for their association URL https://americancollegeofmedicaltoxicology.growthzoneapp.com/. A toggle switch was then activated within the Identity Providers area to relate the IdP to the ACMT application in FusionAuth.
- Apply a generic template to the OAuth authentication page in FusionAuth > Templates. Template items such as additional login fields and other links can be hidden from view using CSS in the template CSS area. For example, see the ACMT theme in FusionAuth titled ACMT.
Common Pitfalls
- Logged-in session interference: Testing the SAML SSO requires a test user with credentials for logging into the InfoHub. Test the links using Incognito/Private Browsing mode, or first log out of GrowthZone — GZ staff login session info will otherwise interfere with the authentication process.