Integrating your SAML Provider

Parsec provides a generic auth provider for SAML based authentication, which allows Owners of a Team on Parsec manually configure any SAML-enabled IdP system. Documented below are the general steps for integration.

This requires a subscription to Parsec for Teams.

v1 of Parsec SAML important notes

In the next version of SAML authentication, you will be able to determine these:

  1. Your users will need the Parsec Team ID found here to set up SAML. Only the Team Owner has access to the ID.
  2. Once a user sets up SAML login, they will need to use SAML login as long as they're a member of your Team.
  3. By default, users are forced to re-authenticate every 8 hours on their client devices. You can increase this to 720 hours and you can auto-refresh sessions whenever someone is active.
  4. As long as a host machine stays online, it's session will remain active. If the host is offline (i.e. it does not appear in the list of Parsec computers), the user will need to re-authenticate with your Identity Provider on the hosting machine.
  5. You can remove login access to Parsec via your Identity Provider. This will not invalidate a user's current session, but it will prevent them from logging in again after the session refreshes. To remove someone from your Team and free up a seat, an Admin will have to remove them from the Team on Parsec for Teams admin panel here.

SAML-enabled Accounts

SAML-enabled users cannot change their password, use their old Parsec password, or set up MFA within Parsec. That is all handled by your Identity Provider now.

Setting it all up with Parsec for Teams

Parsec supports the following SAML services:

  • Identity and Service Provider initiated SSO
  • Identity Provider initiated SLO (Single Logout)

1. Register Parsec with IdP

Before connecting Parsec to the Identity Provider (IdP), it’s important to first register Parsec as an application on the IdP’s side. Parsec's SAML endpoints are as follows, where the {teamID} is substituted for your Team ID on the Teams Admin Panel:

ACS: https://kessel-api.parsecgaming.com/saml/acs/{teamID}
Metadata: https://kessel-api.parsecgaming.com/saml/metadata/{teamID}

You can also copy and paste these directly from the Parsec for Teams administration panel.

What do these mean?

  • ACS means Assertion Consumer Service, and is used for establishing a session based on rules made between your IdP and the service provider it is integrating with. 
  • Metadata, alternatively referred to as the entityID in some systems, refers to the configuration data for an IdP or an SP. In this case, the Metadata endpoint in Parsec refers to your Parsec Team’s metadata on the Service Provider end.

When setting these values up on the IdP end, it’s important to remember that Parsec does not need to provide a signing certificate for the integration to work.

Email format is required for nameID

When you set up SAML, you must use the email format for the nameID field in your Identity Provider.

Okta Azure AD Google SSO Other

If you're using Okta, please create a new app for Parsec.

Annotation on 2020-06-12 at 10-21-09.png

Parsec SSO is done through SAML.

Annotation on 2020-06-12 at 10-21-36.png

In Okta, if you set it up correctly, your SAML settings will look like this:

Annotation on 2020-06-12 at 10-23-58.png

2. Register Okta with Parsec

There are three distinct methods for registering Okta with Parsec: Metadata, XML, and data fields. Each method is broken down below, and will produce the same end result.

Using Metadata URL

This method only requires a Metadata URL provided by Okta platform. You have to upload the Metadata URL directly.

mceclip0.png

In Okta, you can get the file on Okta here. Download and save the file that metadata links to and upload it.

Annotation on 2020-06-08 at 14-56-49.png

 

Using Okta's XML

For this method to work, an administrator needs to provide the contents of the IdP’s generated metadata file. Once the contents are pasted directly into the text field, Parsec will do the rest.

mceclip1.png

Using Provider Data

This registration method is the most involved, and requires matching up the data fields from an IdP. The easiest way to accomplish this is to look for the values in a metadata file such as the one provided above.

mceclip2.png

SAML Session Settings

In this example, my SAML sessions will expire on client devices every 8 hours forcing users to re-authenticate after 8 hours of inactivity. For example, every time a user logs into Parsec or is using Parsec, their session will automatically refresh for another 8 hours. If I were to turn off session Auto Refresh, Parsec would automatically log out the user after 8 hours, no matter how much activity they've had during that period. On the hosting computer, the sessions will auto refresh as long as the host is online and waiting for a connection to prevent people from getting logged out of the host machine too frequently forcing them to connect to the host through another method to log in again. 

mceclip1.png