ISL Online supports Single Sign-On (SSO) integration using SAML 2.0, an open standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). ISL Online functions as the Service Provider (SP) and assumes that the customer hosts and manages the Identity Provider service. Once established, this integration creates a secure access control system, allowing your users to authenticate through your company's SSO portal when they log in to ISL Online Cloud products.

This integration adds another layer of security and offers users a single authentication point for different and completely independent software systems. SSO also enhances user experience by enabling them to authenticate once and then access multiple products during their session without needing to authenticate separately for each one.

Requirements

To use SAML 2.0 Single Sign-On with your ISL Online Cloud account, you will need:

• ISL Online Premium Cloud License (Compare Pricing Plans)
• Access to your main ISL Online Cloud account
• Custom ISL Online domain name (Change Domain Name)
• SAML 2.0 compatible Identity Provider (provisioning and managing is your responsibility)
• SAML 2.0 compatible ISL Online applications:
  • ISL Light 4.4.1906.12 or newer for desktop
  • ISL Light 4.4.1825.40 or newer for Android
  • ISL Light 4.4.1809.35 or newer for iOS
  • ISL Pronto 4.4.1932.38 or newer for desktop

Configuration

Once SAML 2.0 Single Sign On (SSO) is configured for your account, your users will authenticate through your SSO portal. Creating new users and changing their user profile attributes on ISL Online User Management pages will be disabled.

Change ISL Online Domain name

Step 1

If you haven't done already, change the Domain name to a fitting name, that represents your company/organization. A good example of domain name for a company named “MyCompany Inc.” would be “mycompany”.

Important: remove any special characters, such as dot, dash, ... symbol from your domain name (e.g. ".", "-", ...).  If your company name is "My-Company", use "mycompany" for your ISL Online domain name instead.

Keep existing users 

Step 2

If you're just starting fresh with your new ISL Online account and haven't created any additional users yet, new users will be automatically created upon their first SSO sign on.
Your main ISL Online user account and any additional users you have created and used before, must be mapped to your external users on your Identity Provider in order to keep access to the same user accounts. To accomplish this user remapping, we will need username values for your existing ISL Online user accounts with the accompanying username values from your Identity Provider. You will need to prepare the CSV (Comma Separated Value) file with your existing ISL Online users and their SSO usernames: 

1. Export existing ISL Online users to CSV file. Login with you main ISL Online account, navigate to  “Users” page and click on “Export to CSV” button below the table.
2. Export matching user list from your Identity Provider, obtain the values that you will be using as unique user identifier (username) attribute on your Identity provider (usually User Principal Name - UPN).
   Important: our system is case sensitive regarding usernames, so make sure to copy/extract the exact username values from your Identity Provider.
3. Open exported CSV of ISL Online users with your spreadsheet editor and add “SSO username” column at the end. Fill it with matching usernames from your Identity Provider obtained in the previous step.    
   Example:

“Full Name”,“Nickname”,"Username","Email address",…"SSO username" 
“Jane Thomas”,"Jane","jane.t","jane.thomas@mycompany.com",…"jane.thomas@mycompany.com"
“Tim Wright”,"Timmy","tim.w","tim.wright@mycompany.com",…"tim.wright@mycompany.com"
…

4. Attach the CSV file to the email request for SAML 2.0 SSO integration, described in the next step.          
 

Note: Avoid adding new ISL Online users manually to your account during the migration to SSO authentication. Users that will not be present in the CSV file provided to us, will not be remapped to the existing user accounts (new users will be created instead upon their first login).

Request SSO Integration

Step 3 (Send email)

Next, send an e-mail to support@islonline.com with the following format to request SAML 2.0 Single Sign On (SSO) integration. Make sure to attach the remapping CSV file from the previous section.

Important: Request email must be sent from the same email domain as your ISL Online main account's email domain.

subject: 
Hosted service - SAML 2.0 Single Sign On (SSO) integration for <your company name>

body:
Please enable SAML 2.0 Single Sign On (SSO) for our company.
Our ISL Online account e-mail is: <your ISL Online account e-mail>
Our ISL Online domain is: <your registered ISL Online domain, e.g. \\mycompany>
Our SAML 2.0 identity provider is: <your identity provider, e.g. Microsoft EntraID, Okta, …>

attachment:
<CSV file with your existing ISL Online users and their SSO usernames>

Service Provider Information

Step 4

ISL Online team will perform several validation checks before proceeding to the next steps. You will hear from us for any missing information or additional requests from our side. Once your account is cleared to proceed with the integration, you will receive the email from us with our SAML 2.0 Sevice Provider information. This information is required for you to configure your Identity provider (IdP) in the next step:

• Identifier (Entity ID): https://www.islonline.net/sso/saml/sp/domain/<domain>/metadata.xml
• Reply URL (Assertion Consumer Service URL): https://www.islonline.net/sso/saml/sp/domain/<domain>/acspost
• Sign on URL (Optional): https://www.islonline.net/users/isllight/start.html
• Logout URL: https://www.islonline.net/sso/saml/sp/domain/<domain>/slopost
• SAML 2.0 Service Provider Encryption certificate: sso-<domain>-<date>-saml-sp.cert

Some Identity providers may require from you to upload the SAML 2.0 Encryption certificate manually. We will attach your SAML 2.0 Service provider Encryption certificate in our email to you. Certificate will be in PEM format, but you may need to rename the file extension (e.g. .cer, .crt) or convert it to another format (DER) when uploading it to your Identity provider.

Note: SAML 2.0 endpoint URLs above that we will provide to you will contain your actual domain name instead of <domain>. Mind that those URLs will not be available until SAML 2.0 SSO is enabled for your domain on our end, but you can still use them in your SSO Identity provider manual setup. 

In the same email from us, we will request SAML 2.0 metadata URL/file from you, which you will obtain once you finish the configuration of your SAML 2.0 Identity provider.

Identity Provider Setup

Step 5

The email you will receive from us will contain SAML 2.0 Service Provider endpoint URLs, that you will require to setup your Identity Provider. We have prepared the following Identity Provider configuration manuals as a reference:

• Microsoft Entra ID
• Microsoft AD FS

Additional steps may be required for your Identity Provider, we recommend you review the documentation provided by your Identity Provider. 

Step 6 (Send email)

Once you complete the Identity Provider configuration on your side, please send an e-mail to support@islonline.com with the SAML 2.0 claims and Metadata URL/File from your Identity Provider.

Subject:
Hosted service - SAML 2.0 Single Sign On (SSO) integration for <your company name> 

Body:
We have configured our SAML 2.0 Identity provider.

Our ISL Online account e-mail is: <your ISL Online account e-mail> 
Our ISL Online domain is: <your registered ISL Online domain, e.g. \\mycompany> 
Our SAML 2.0 identity provider is: <your identity provider, e.g. Microsoft EntraID, Okta, …>
Our SAML 2.0 federation Metadata URL is: <SAML 2.0 federation metadata URL>

Our SAML 2.0 claims:
Username (mandatory): Unique User Identifier (Name ID) 
E-mail (mandatory): <SAML 2.0 claim for email> 
Full name (optional): <SAML 2.0 claim for full name> 
User groups (optional): <SAML 2.0 claim for user group name>

attachment:
<optional - SAML 2.0 federation metadata XML file, if URL not available>

Note: Metadata URL is preferred over the metadata XML file in order to automate the rollover of your Identity provider SAML 2.0 encryption/signing certificates in the future. 

Login with SSO

Step 7 

Once we complete the configuration on our side, we will notify you with the remaining information in order to complete the SAML 2.0 SSO integration. In order to validate successful integration, navigate to www.islonline.com in your browser.

Click the Log In button at the top right corner of the ISL Online home page.

Enter \\<your_domain>\. into the Email or Username field, leave Password field empty. Click the Login button to proceed to your SSO portal.

Login with your SSO account.


Once logged in back to ISL Online portal, make sure your user information matches. Existing user accounts should retain all the information from before (computers, session history, ...).

When you login with your main user account and navigate to Users page, you will notice some of the actions have been disabled, due to SSO configuration:

• Change Domain name
• Add New User
• Import Users From CSV
• Change Password
• Forgot Password
• Change Contact

Those actions should now be handled on your Identity provider.