SSO Setup 

SSO and SCIM Setup

Raven supports Single Sign-On and SCIM provisioning to streamline secure access and automate user management. This guide explains how to configure SAML SSO, enable SCIM provisioning, and map IdP groups to Raven roles. For SSO to function correctly, you must configure SAML, provisioning, and role mapping. Ensure you have permission to manage SSO before beginning.

Before You Begin

• Log in to the Raven App.

• Confirm you have permission to manage SSO.

• Navigate to Manage > Account Settings > SSO and keep this page open.

• Leave all fields not mentioned in this guide empty or set to default values.

• Ensure the Raven App integration is assigned to users via groups only, not individual assignments.

How to Configure SAML SSO

Step 1: Create the SAML App in Your IdP

1. In your Identity Provider, create a new application.

2. Select SAML 2.0 as the sign on method.

3. Set the App Name to Raven.

Step 2: Add Raven Service Provider Details to Your IdP

1. In the Raven App, locate Raven Service Provider Info.

2. Copy the ACS URL and paste it into the Single Sign-On URL field in your IdP.

3. Copy the Service Provider Entity ID and paste it into the Audience URI SP Entity ID field in your IdP.

Step 3: Configure SAML Settings in Your IdP

Set the following values:

• Name ID Format: emailAddress

• Application Username: email

• Response: Signed

• Assertion Signature: Unsigned

1. Download the certificate from the Raven App.

2. Upload it to the Signature Certificate field in your IdP.

3. Add an Attribute Statement:

   • Name: roles

   • Value: appuser.roles for Okta. Refer to your IdP documentation if using another provider.

4. Save the application integration in your IdP.

Step 4: Add IdP Details to Raven

1. In the Raven App, go to Manage > Account Settings > SSO.

2. Complete the following fields using values from your IdP:

   • SSO Entity ID: Issuer or Entity ID from IdP

   • SSO Certificate: Upload certificate from IdP

   • SSO Login URL: Sign-on URL from IdP

3. Click Save.

How to Configure SCIM Provisioning

Step 1: Enable SCIM in Your IdP

1. In your IdP, open the Raven SAML application you created.

2. Set Provisioning to SCIM.

Step 2: Configure Provisioning Settings

In your IdP, enter the following:

• SCIM Connector Base URL: Copy from the Raven App SCIM Base URL

• Unique Identifier Field: email

• Supported Provisioning Actions: Push New Users, Push Profile Updates

• Authentication Mode: HTTP Header

• Authorization: Enter the Provisioning API Key from the Raven App

Enable the following provisioning actions:

• Create Users

• Update User Attributes

• Deactivate Users

Step 3: Add the Roles Attribute

1. Navigate to Profile Editor in your IdP.

2. Select Raven User.

3. Add a custom attribute with the following configuration:

   • Data Type: String Array

   • Display Name: roles

   • Variable Name: roles

   • External Name: roles

   • External Namespace: urn:ietf:params:scim:schemas:core:2.0:User

   • Required: Yes

   • Group Priority: Combine over Groups

   • User Permission: Read-only

4. Click Save.

How to Map IdP Groups to Raven Roles

The Raven App integration must be assigned via groups only.

Step 1: Assign the App to an IdP Group

1. Navigate to the appropriate IdP Group.

2. Assign the Raven App Integration to the group.

Step 2: Add Roles to the IdP Group

1. In the Raven App, go to Manage > Account Settings > SSO.

2. Under Available Roles, copy the roles you want to assign.

3. Add those role values to the corresponding IdP Group.

Step 3: Verify Role Mapping

1. Confirm that roles in the IdP group match the roles configured in Raven.

2. Click Save in both systems.

Important

SSO will only function correctly when all of the following are configured:

• SAML application setup

• SCIM provisioning enabled

• IdP group to Raven role mapping completed

• Raven App assigned via groups only

After setup, verify user access and confirm that roles and group mappings are working as expected.