In addition to the internal user authentication mechanism, eLabNext offers various Single Sign-On (SSO) authentication options (e.g. AD/LDAP/SAML).
For Private Cloud installations, SAML authentication is required. eLabNext has been tested to support SAML authentication with:
- Microsoft Entra ID
- KeyCloak
- Microsoft Active Active Directory Federation Services (AD FS)
- SimpleSAMLphp Service Provider
- OKTA server
- Onelogin
How to Set Up and Test SAML Single Sign-On (SSO)
This guide provides instructions for configuring and testing SAML Single Sign-On (SSO) with various Identity Providers (IdPs). By connecting user authentication in eLab with your organization's existing authentication system, you can streamline the login process for your users.
VERY IMPORTANT NOTICE
After activating SAML, you can get locked out if the configuration is incorrect or if you forget to enable Automatic User Creation. If you are locked out, you can use the bypass URL to log in with local credentials:
General SAML Configuration Steps
Setting up SAML can only be done by a user with the System Administrator role. The process involves configuring both your Identity Provider (IdP) and eLab (the Service Provider, SP).
1. Navigate to the SAML Configuration Panel
- Log in to eLab as a System Administrator.
- Go to the System Admin Console (https://[your-elab-domain]/admin/).
- In the System tab, click on SAML Single Sign-On.
2. Configure Your Identity Provider (IdP)
In the SAML configuration panel in eLab, you will find the required Service Provider information.
Use the Service Provider Entity ID, SAML Metadata URL, SAML Assertion URL, and Single Logout URL to set up eLab as a trusted application within your IdP (e.g., ADFS, Azure AD, Okta).
When configuring your IdP, you must set up claims to pass user attributes to eLab. Ensure the following claims are correctly mapped:
- Name ID (A persistent, unique identifier for the user)
- mail or email (User's email address)
- givenName (User's first name)
- sn or surname (User's last name)
3. Configure eLab with Your IdP Metadata
- Once your IdP is configured, locate its federation metadata URL.
- Return to the SAML Single Sign-On panel in eLab.
- Enter the metadata URL from your IdP into the designated field and click Load Data.
- The system will test the connection and retrieve the necessary configuration data from your IdP.
- Remember to enable Automatic User Creation if your users do not already have accounts in eLab.
Certificate Renewal
Important: When an organization renews its SAML certificates, the metadata should be reloaded in the eLabnext installation by clicking Load Metadata to reinitialize authentication with the organisation. To avoid any issues, please contact eLabNext Support before renewing certificates for more information.