Arlo

Arlo SAML 2.0 Authentication

SAML 2.0 is an open standard for authentication and authorization. Arlo supports login to both the management platform and customer checkout.

Terminology

Identity provider (IDP) - The system that issues authentication for a user
Service provider (SP) - Arlo is the SP in our case. The SP accepts identities provided by the IDP
Just-in time (JIT) provisioning - Creating a user account in Arlo "just in time" as they're required
Metadata - Each IDP and SP provides a public XML metadata document with information about the system. By convention accessible at saml2/metadata

Getting started

Contact Arlo Support to get access to SAML SSO settings. You may wish to use a UAT platform as a sandbox to confirm your configuration works with Arlo as intended.

Setup

All configuration can be accessed via https://{yourplatform}/management/Console/#/settings/saml/

You can edit your IDP settings via the dropdown box at the bottom of the page.

The key fields to get here are Entity ID, Sign-on URL and Certificate. These can be found in the metadata file provided by your IDP. Ensure these are fully formatted, this tool will ensure your certificate is in the right format to upload.

Configuration options

Name / Friendly name: Internal name this IDP is known by
Entity ID: EntityID. Can be found in IDP metadata
SignOnUri: The login page URI of the IDP. Can be found in IDP metadata as property SingleSignOnService (redirect binding)
Service provider EntityID override: (optional) overrides the SP EntityID. By default it will be the platform URL
Certificate: Certificate provided in IDP metadata
IDP email hints: If trying to log in when your email matches the given hint it will suggest you use this IDP to log in
Force authentication: Tell the IDP that you must re login every time you authenticate over SAML. Some IDPs may not support this attribute
Enable JIT Provisioning: If enabled accounts will be created on the fly in Arlo as users login for the first time. If not the user must be pre-created in Arlo and mapped to a user in the IDP
User property mappings: Dictionary of attribute names provided by the IDP and the associated user fields they should be mapped onto in Arlo

Testing your setup

Once you have setup your IDP configuration you can start testing via either the management login page or checkout. You can enable and set the registration Identity

Management platform

We suggest not using "Replace login page with Identity provider's login page" immediately as it will be hard to access our login page if you incorrectly configure the logic.
If you do get stuck on the login page, go to /management/Account/Login.aspx?support=true to bypass the redirect.

Go to the login page and enter an email address as the username with the same domain as you entered in IDP email hints. This will cause the "SSO log in" button to appear."

Checkout / Website

Warning: In a live system this will affect all users trying to access your checkout. It's recommended you test this in UAT first or at a time of low traffic.

Enable "Registration IDP enabled" and set the default registration IDP to your IDP. Proceed to the checkout and you should get an option to login via your IDP

Provisioning / migrating users to new IDP

Depending on whether you use JIT provisioning or not you will have quite different experiences here

JIT provisioning

In this mode any user that logs in will be created on the fly. In the case where a user logs in for the first time that matches firstname/lastname/email of a existing registrant it will assume that identity if the user hasn't been assigned to an IDP before

Manual provisioning (JIT disabled)

This is the recommended approach for your management platform users. This requires a manual step by an administrator before a user logs in (particularly used for management platform auth). The username field is a unique field which is also used to store unique user ids from the IDP. You must manually set the IDP of an existing user in Arlo to that of the desired IDP and match their usernames with the one provided by the IDP to ensure they are the same user.

Popular Identity Providers:

Arlo SAML authentication has been tested against popular IDP's. See below links for further information on integration:

Limitations:

Some authenticated areas are not supported by SAML

  • Customer self-service portal
  • Mobile applications

The Arlo Auth API only partially supports SAML. As we only support the redirect binding you must authenticate via a browser. If you need to access the auth API by other means you can create a user set as an "integration account" and access the auth API via basic auth