Single Sign-On (SSO) with SAML 2.0

Single Sign-On (SSO) is a secure authentication method allowing users to access multiple applications with a single login credential. With SSO, users do not have to remember different usernames and passwords for each application. Instead, they can sign in once and access all their authorized applications.

Using SSO

Once SSO is enabled, your organization will receive a convenient link for signing in with SSO, which can be bookmarked or linked to.

If your Identity Provider (IdP) prompts for a Start URL, you can use this convenient link as your Start URL.

FastBound will set a first-party cookie every time a user successfully signs in with SSO. This cookie will trigger a panel to be displayed above our standard login form, reminding the user that your organization uses SSO with a “Sign on with YOUR_ORG” button.

Registering New Users

New users need only browse to the convenient SSO link provided.

FastBound will block registration attempts with an email address ending in your domain name. The user will receive an email reminding them their organization uses SSO with a convenient link for signing in.

Password Resets

Users must contact their IT team for assistance with password changes, recovery, or resets.

FastBound will block password reset attempts with email addresses ending in your domain name. Users will receive an email reminding them their organization uses SSO with a convenient link for signing in.

Existing Users

When users have already created user accounts with email addresses ending in your SSO domain name, we can convert those into SSO accounts, preserving existing access and permissions. Contact the FastBound support team for assistance.

SSO Considerations

1. When a user authenticates via SSO, FastBound’s Time-based One-Time Password (TOTP) Two-Factor Authentication (2FA) will be disabled, delegating the responsibility of 2FA to the Identity Provider (IdP) to ensure a consistent and secure authentication experience across different services.

2. If an Identity Provider (IdP) provides permissions via the optional account_ permissions attribute, permissions will no longer be editable from Settings > Users.

3. If an Identity Provider (IdP) supplies a first or last name via optional attributes that vary from what the user has entered in their user profile, it will be updated. The user can still change their name in their profile, but it will be overwritten the next time they sign in.

Enabling SSO Authentication

To enable SSO for your FastBound account, send the SAML 2.0 IdP metadata to the FastBound support team. You must also provide a fully-qualified domain name (FQDN) for which your Identity Provider (IdP) is an authority.

Assertion Consumer Service (ACS)

The SAML Assertion Consumer Service (ACS) is responsible for receiving, processing, and validating the SAML assertions generated by an Identity Provider (IdP) to authorize and grant user access.

FastBound’s Assertion Consumer Service (ACS) URL is:

https://cloud.fastbound.com/sso/saml2/acs

SAML Requirements

1. Subject Assertions from your Identity Provider (IdP) must contain a NameID or a BaseID. NameID is the most common and probably the default for your Identity Provider (IdP).

2. At least one of the Subject Assertions (it doesn’t matter which one) must contain a valid Internet email address. This email address is required for notifications and inviting SSO users to FastBound accounts.

SAML Attributes

FastBound supports the following optional SAML attributes. Attribute names are not case-sensitive. If your identity provider requires unique claim names, you can prefix account_XXXXXX attribute names with anything as long as they end with account_XXXXXX (i.e., settingsuser_account_XXXXXX)

Permissions Bitmask

Bitmasks efficiently store multiple on/off settings or flags as a single number, and permissions are combined by adding numbers. For example, 0 represents no permissions; 65535 represents all permissions; and 8772 (4 + 64 + 512 + 8192) represents Create Disposition, Item Inventory Control, Form 4473, and Create Multiple Sale permissions.