Integrating your SAML Provider

Parsec provides a generic auth provider for SAML based authentication, which allows Owners of a Team on Parsec manually configure any SAML-enabled IdP system. Documented below are the general steps for integration.

This requires a subscription to Parsec for Teams.

Parsec SAML important notes

  1. You can choose an alias for your team's SAML authentication. Each member of your team will need to know the Alias to log into Parsec via SAML. You can set the alias on the SAML tab in Parsec for Teams. If you do not set this, the default is your Team ID. 
  2. Once a user sets up SAML login, they will need to use SAML login as long as they're a member of your Team.
  3. By default, users are forced to re-authenticate every 8 hours on their client devices, but it does auto-refresh the session based on activity. You can increase this to 720 hours.
  4. As long as a host machine stays online, it's session will remain active. If the host is offline (i.e. it does not appear in the list of Parsec computers), the user will need to re-authenticate with your Identity Provider on the hosting machine.
  5. You can remove login access to Parsec via your Identity Provider. This will not invalidate a user's current session, but it will prevent them from logging in again after the session refreshes. To remove someone from your Team and free up a seat, an Admin will have to remove them from the Team on Parsec for Teams admin panel here.
  6. You cannot initiate SAML authentication via your Identity Provider. You will get a Relay State Error. Parsec only allows for logins to initiate from the Parsec login page or from within our app.

SAML-enabled Accounts

SAML-enabled users cannot change their password, use their old Parsec password, or set up MFA within Parsec. That is all handled by your Identity Provider now.

Setting it all up with Parsec for Teams

Parsec supports the following SAML services:

  • Identity and Service Provider initiated SSO
  • Identity Provider initiated SLO (Single Logout)

1. Register Parsec with IdP

Before connecting Parsec to the Identity Provider (IdP), it’s important to first register Parsec as an application on the IdP’s side. Parsec's SAML endpoints are as follows, where the {teamID} is substituted for your Team ID on the Teams Admin Panel:

ACS: https://kessel-api.parsecgaming.com/saml/acs/{teamID}
Metadata: https://kessel-api.parsecgaming.com/saml/metadata/{teamID}

You can also copy and paste these directly from the Parsec for Teams administration panel.

What do these mean?

  • ACS means Assertion Consumer Service, and is used for establishing a session based on rules made between your IdP and the service provider it is integrating with. 
  • Metadata, alternatively referred to as the entityID in some systems, refers to the configuration data for an IdP or an SP. In this case, the Metadata endpoint in Parsec refers to your Parsec Team’s metadata on the Service Provider end.

When setting these values up on the IdP end, it’s important to remember that Parsec does not need to provide a signing certificate for the integration to work.

Email format is required for nameID

When you set up SAML, you must use the email format for the nameID field in your Identity Provider.

Okta Azure AD Google SSO Other

If you're using Okta, please create a new app for Parsec.

Annotation on 2020-06-12 at 10-21-09.png

Parsec SSO is done through SAML.

Annotation on 2020-06-12 at 10-21-36.png

In Okta, if you set it up correctly, your SAML settings will look like this:

Annotation on 2020-06-12 at 10-23-58.png

2. Register Okta with Parsec

There are three distinct methods for registering Okta with Parsec: Metadata, XML, and data fields. Each method is broken down below, and will produce the same end result.

Using Metadata URL

This method only requires a Metadata URL provided by Okta platform. You have to upload the Metadata URL directly.

mceclip0.png

In Okta, you can get the file on Okta here. Download and save the file that metadata links to and upload it.

Annotation on 2020-06-08 at 14-56-49.png

 

Using Okta's XML

For this method to work, an administrator needs to provide the contents of the IdP’s generated metadata file. Once the contents are pasted directly into the text field, Parsec will do the rest.

mceclip1.png

Using Provider Data

This registration method is the most involved, and requires matching up the data fields from an IdP. The easiest way to accomplish this is to look for the values in a metadata file such as the one provided above.

mceclip2.png

SAML Alias

You can choose your Team's SAML alias in the SAML administrative dashboard. This alias is globally unique, so grab yours before someone else does :). Your team members will need to use the alias to log in via SAML. If you do not choose an alias, the default alias is your Team ID.

SAML Enforced

If you choose to enforce SAML authentication across your team, people who are already on your team will not be able to log in with the password and email combination they may have created previously on Parsec. You should make sure every person on your team has been added to your iDP before enforcing SAML. If you do not do this, people will be locked out of their account. Once you enforce SAML, you can no longer send team invites through Parsec, instead you must add members of your team directly from within your iDP. A member of your team can only go back to their email/password combination from before using SAML if they leave the team. When you're ready, you can choose to email your entire team immediately upon enforcing SAML across the organization, but before you do this, please choose an alias that is easy to remember!

SAML Session Settings

In this example, my SAML sessions will expire on client devices every 8 hours forcing users to re-authenticate after 8 hours of inactivity. If the user has been active, however, the session will auto-refresh for another 8 hours until the user has been inactive / Parsec has not been running for 8 hours. On the hosting computer, the sessions will auto refresh as long as the host is online and waiting for a connection to prevent people from getting logged out of the host machine too frequently forcing them to connect to the host through another method to log in again. 

mceclip0.png