How to configure SAML authentication with Amazon Web Services (AWS) SSO

Users with Amazon Web Services SSO enabled are able to use SSO to login to Highfive without needing to go through passwordless authentication.

Configure Highfive as an SSO Application in AWS

  1. Login as a root user at the AWS SSO site.
  2. Go to Applications.
  3. Click Add a new application.
  4. Check the box for Add a custom SAML 2.0 application.
  5. Enter the display name (like: "Highfive") and the description (optional). Leave the Application Properties section values at their defaults.
  6. In the Application Metadata section, click the text link If you don't have a metadata file, you can manually type your metadata values.
  7. Complete the Application ACS URL field with the URL showing in the Highfive SAML configuration page:
  8. Go to Application SAML audience and type "Highfive" (without quotes).
  9. Click Save Changes.
  10. Open the Highfive application you just created.
  11. Click the Attribute mappings tab.
  12. Add the following attributes to this section:
    • user.firstName
    • user.lastName
  13. Set the following Supported AWS SSO attributes for each entry.
    • User attribute in the application Maps to this string value or user attribute in AWS SSO Format
      Subject unspecified ${user:email} basic
      user.firstName ${user:givenName} basic
      user.lastName ${user:familyName} basic
    • AWS_SSO_Attribute_Mappings.png
    • More info about attributes is in the Attribute mappings article.
  14. Click Save changes.
  15. Return to the Highfive SAML Configuration page via Dashboard > Authentication.
  16. Copy the relevant SSO metadata from the new app you created in the AWS SSO tool into the Highfive SSO setup page in the admin dashboard:
    • AWS SSO sign-in URL (SAML Provider URL field in the Highfive authentication settings.)
    • AWS SSO issuer URL
    • AWS SSO certificate (must be downloaded, opened, and copy the file contents into the Highfive form.)
  17. Click Test configuration.
    • An AWS login window will appear. Use your root user credentials to login and complete the test.
    • When the login is successful, the message "Test Successful! The following email address was returned from the SAML provider" will appear with the root user email showing on the page.
  18. Click Apply Configuration and the message "The configuration has been done successfully" will appear. AWS SSO is now enabled for the domain.
  19. (Optional) Test a couple of different user profiles for login to ensure smooth authentication before announcing the new SSO option to the organization.

Still have questions?

We're here to help

Powered by Zendesk