Security Assertion Markup Languages (SAML) Single Sign-on (SSO) for Site Managers

Modified on Wed, Jul 31 at 12:09 PM

Heads up! This article is intended for Site Managers


You can use our Single Sign-on (SSO) feature to sign into your site from your business, school, or other website. SSO confirms that a user is authenticated in your system before letting them access Get Connected. In other words, users are allowed access to your Get Connected site without using independent login credentials. 

So you know: We recommend that this feature be implemented only by individuals in an IT Support role.


What's supported? 

We support Security Assertion Markup Language (SAML), but we also support JSON Web Tokens (JWTs). SAML may require additional charges depending on the setup. This article focuses on SAML. 


How SAML SSO works

Here is how SAML SSO works: 


1. A user is directed to your system to log in. 

2. They log in. 

3. An encrypted payload is sent to the Get Connected site and the payload is decrypted. 

4. We log the user in. 

  • If they have a profile, we log them into it. 
  • If they don't have a profile, we create one, log them into it, and ask them to provide information not sent in the payload. 


How to set it up

Here we cover what needs to be completed by us and your IT staff to set up this SSO integration: 


Step 1. You complete the CSR request form, and we create and send you a Certificate Signing Request (CSR) for you to purchase, you then create the SSL certificate and send it back to us. 

  • If a custom domain is being used, that must be set up before an SSL can be generated which results in additional fees. Please contact support@galaxydigital.com to inquire about these fees. 
  • This step can be skipped if a custom domain is being used and we will use a wildcard certificate instead.

So you know: There are additional fees if your site is using a vanity domain—i.e., any domain other than the one created by Galaxy Digital when your site was created). Please contact support@galaxydigital.com to inquire about this integration and additional fees. 


Step 2. You send us a link to your public metadata information. This must include: 

  • Given Name
  • Surname
  • Email Address
  • Unique identifier (this is optional

The SAML assertion must also contain a subject with the attribute NameID. 

<saml:Subject>

<saml:NameID>ABC123456</saml:NameID>

</saml:Subject>


So you know: The value for NameID is usually the Unique Identifier (UID) of the user. A UID from your system—e.g., employee/student ID number—is optional. If you want to include this in the payload, please let us know what variable to use. 


Step 3. Once we receive the SSL certificate, we add the load balancer and install your SSL certificate for your selected domain. 

  • This step can be skipped if a custom domain is being used and we will use a wildcard certificate instead.


Step 4. We install SAML on your site. 


Step 5. We provide you with your metadata so the integration can be completed by your IT staff. 


Step 6. We test the connection and troubleshoot as necessary. 

✏️ Quick tip: Providing us with test credentials can expedite this process. Please consider creating a set of credentials with login permissions or giving access to an existing test account. 


Step 7. We notify you that the process is complete and can be used by anyone who has permission to log into your system. Occasionally small, limited modifications to the process are made at this point, like changing the wording on buttons, as applicable.