Overview
GovWorx supports authenticating users via SAML SSO. A few details about the SSO
Sign on only - no provisioning - User provisioning via SSO is not supported. The user must exist in the user management area
Matching Users - Users are matched via email
SP Initiated - We only support service provider initiated SSO flows (SP Initiated).
Configuration Steps
1 - Create new SAML App in Idp
Create a new SAML app in your identity provider (IdP), download the XML Metadata to enter into GovWorx. When configuring the SAML app, use the following details
Entity ID: urn:amazon:cognito:sp:us-gov-west-1_hh4SObAzC
Relay State: Identity_provider=urn:amazon:cognito:sp:us-gov-west-1_hh4SObAzC&client_id=36l5odfbv61gt6vvc9ojmal13e&redirect_uri=https://app.govworx.net&response_type=code&scope=email+openid+profile
Login URL (Optional): https://app.govworx.net/login/{customerURLpath}
This can be found on your Settings > SSO page within CommsCoach
Required Assertions
NameID - We match on NameID and it is case sensitive. If you have upper case in your NameID you should be able to add a transform (both Okta and Microsoft Entra supports this)
email - Send the email address in an attribute called 'email'
π§ Steps to Transform Email to Lowercase in Azure SAML SSO
Go to Azure Active Directory > Enterprise Applications.
Select your SAML-based application.
Click on Single sign-on.
Under Attributes & Claims, click Edit.
Configure the claim:
Source: Transformation
Transformation Type:
ToLowerParameter 1:
user.mail(oruser.userprincipalname, depending on your setup)
Click Save.
π§ Additional Steps for ADFS SSO
The following urls must be added to the Relying Party Trust's "Endpoint" list in this order:
On the Relying Party Trust access "Edit Claim Issuance Policy...". Add the following rule to transform the NameID claim to lower case:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(RegExReplace(c.Value, "A", "a"), "B", "b"), "C", "c"), "D", "d"), "E", "e"), "F", "f"), "G", "g"), "H", "h"), "I", "i"), "J", "j"), "K", "k"), "L", "l"), "M", "m"), "N", "n"), "O", "o"), "P", "p"), "Q", "q"), "R", "r"), "S", "s"), "T", "t"), "U", "u"), "V", "v"), "W", "w"), "X", "x"), "Y", "y"), "Z", "z"));
π§ Additional Steps for DUO SSO
You must configure DUO to Transform the Attribute being sent to CommsCoach
Navigate to Attribute Transformations
Select "Enable User Attribute Transformations"
enter the following into the Transformation Rules* dialog box
use "<Email Address>" make_lowercase
Enable "Set this as my NameID attribute
Save
2 - Upload to GovWorx
Open Settings -> Security -> SSO and enter the following
Email Domain: Enter the email address domain of your organization
SAML Metadata: Open the metadata file download (or copy the XML) from you Identity provider and enter it into the text box
3 - Complete Agency Info
The final box shows you the URL where you can initiate the SSO. It will be
You will need to set your Agency URL Path and logo in the 'Agency Info' tab
4 - Test Login
When you browse to that path, you should see your agency logo + a button to Start SSO. That should kickoff the SAML flow with your IdP and log you into GovWorx!
