Enabling SSO with SAML

Setup SSO authentication using SAML to manage access to your Cable App with your existing Identity Provider (available by Request)

The Cable Platform supports SAML 2.0 as an authentication provider – allowing your workforce to sign into our web app using your existing identity management platform.

This guide assumes you have a basic understanding of SAML and how it works. If you’re unfamiliar with SAML you might want to ask your IT team for help, alternatively contact us for support.

Configuring SAML

Getting the ‘Authorisation Admin’ user role

To be able to administer SSO settings for your organisation, your user must be given the ‘Authorisation Admin’ role within the Cable Platform. Talk to your Cable point of contact to have this role applied to your account.

This user role allows the given user to:

View and edit SSO settings within Cable
Enforce the use of SSO for users to access their organisation
Always be able to login with an email and password in the event of SSO misconfiguration

Setup with your SAML Identity Provider with a Service Provider (Cable)

Within your SAML Identity Provider you will need to set up Cable as a Service Provider.

Some providers allow you to provide the Metadata URL which can make a lot of the set-up automatic. However, you might have to adjust some of the settings.

SP Settings

Field	Value
Metadata URL	`https://shield.cable.tech/saml/metadata`
Entity ID	`https://shield.cable.tech`
ACS / SSO URL	`https://shield.cable.tech/saml/acs`
Start Page URL (optional)	`https://app.cable.tech/auth/signin`

SAML Attribute Mappings

When setting up your Identity Provider you will have the option to configure some attribute mappings or claims, at a minimum you must provide a mapping for the email claim

Attribute	Alternatives	Description
email		The user’s email address
first_name	givenname, name	The users first name
last_name	familyname	The users last name

Name ID / Subject ID format

PERSISTENT is the best option
EMAIL can work if you don’t expect to be able to change your users email addresses

Setup with Cable with the Service Provider Metadata

You must now provide the IDP SSO Descriptor as XML to the Cable application.

You can do this by:

Sending the Metadata XML to your Cable point of contact
Visiting https://app.cable.tech/settings

Testing it’s working

Once the configuration is applied you can test it by logging out of the Cable App and attempting an SSO sign in. If you experience an error you can still sign in with your existing email and password and adjust the configuration.

Only users with the ‘Authorisation Admin’ role will be able to sign in with their email and password after the configuration has been applied. All other users will be required to use SSO.

Common Issues

This is commonly caused by an incorrect attribute or claim mapping, you must configure the email claim correctly so that users can be correctly identified. The attribute must be called email without any namespace.