Integrating your SAML Provider

Parsec for Teams provides a generic auth provider for SAML based authentication, which allows owners of a team on Parsec to manually configure any SAML-enabled IdP (Identity Provider) system. Parsec supports the Identity and Service Provider initiated SSO (Single Sign-On) and the Identity Provider initiated SLO (Single Logout).

 

Some important notes

  • SAML-enabled users cannot change their password, use their old Parsec password, or set up MFA within Parsec. That will all be handled by the Identity Provider instead
  • You can choose an alias for your team's SAML authentication in the Teams admin panel, to be used instead of your Team ID in order to login. Each member of your team will need to know the alias to log in using SAML
  • Once a user sets up SAML login, they will need to use SAML as long as they're a member of your team
  • By default, users are forced to re-authenticate every 8 hours on their client devices, but it does auto-refresh the session based on activity. You can increase this to up to 720 hours in the Teams admin panel
  • You can remove login access to Parsec via your Identity Provider. This will not invalidate a user's current session, but it will prevent them from logging in again after the session refreshes. To remove someone from your Team and free up a seat, an Admin will have to remove them from the Team on the Teams admin panel
  • You cannot initiate SAML authentication via your Identity Provider. You will get a Relay State Error. Parsec only allows for logins to initiate from the Parsec login page or from within our app

 

Setting up SAML

You will want to first register Parsec on your IdP (Identity Provider) and add these SAML endpoints to it, replacing {teamID} with your Team ID in the Teams admin panel. The full endpoints are also shown in the Teams administration panel, and you can copy and paste from there.

  • ACS: https://kessel-api.parsecgaming.com/saml/acs/{teamID}

    ACS means Assertion Consumer Service, and is used for establishing a session based on rules made between your IdP and the service provider it is integrating with.

  • Metadata: https://kessel-api.parsecgaming.com/saml/metadata/{teamID}

    Metadata, alternatively referred to as the entityID in some systems, refers to the configuration data for an IdP or an SP. In this case, the Metadata endpoint in Parsec refers to your Parsec Team’s metadata on the Service Provider end.

In addition to these endpoints, you must use the email format for the name ID field in your identity provider when setting up SAML, for Parsec to associate your accounts. After that, you just need to add some metadata provided by your IdP into the Teams panel.

Below are some instructions those things up on some of the common providers. Remember that Parsec does not need to provide a signing certificate for the integration to work.

Okta Azure AD Google SSO Other
  • Visit the Applications section in Okta, and click Add Application
  • Create a new app for Parsec by clicking Create New App

okta_add_application_button.png

  • In the new window, select SAML 2.0 as the method for sign on and click Create

okta_choosing_saml.png

  • When you get to step 2. Configure SAML, use the ACS and Metadata endpoints provided earlier. Make sure to set the name ID format and Application username to EmailAddress

okta_adding_endpoints.png

 

Once that is done, you just need to provide some IdP metadata to Parsec. In the SAML setup section at the Teams administration panel, you can either upload a metadata XML file, paste the raw contents of the metadata XML, or enter the IdP metadata manually, which your IdP will provide. The most convenient method for Okta is to just use the metadata XML, demonstrated below.

  • Download the metadata XML from the link below in the settings page of the application you made

okta_identity_provider_metadata_link.png

  • Go into the SAML section in the Teams administration panel
  • In the "Register IdP with Parsec" section, select XML
  • Click Choose File and select the metadata XML you downloaded
  • Click Parse Metadata

register_idp_panel.png

At this point, SAML should be set up. Make sure to assign the users in your IdP, and invite them to your team in the Teams admin panel.

 

SAML alias, enforcement and session settings

There are some additional settings in the SAML section in the Teams admin panel.

saml_settings.png

Team Alias

You can choose an alias for your team's SAML authentication to be used instead of your Team ID in order to login. Each member of your team will need to know the alias to log in using SAML. Keep in mind the alias is globally unique, so grab yours before someone else does.

Session Duration

You can dictate how long team members remain authenticated before they have to log in again. As an example, in the image above, users will have to re-authenticate after 8 hours of inactivity. If the user has been active, however, the session will auto-refresh for another 8 hours until the user has been inactive or Parsec has not been running for 8 hours.

Enforce SAML

This forces all team members except the owner to use SAML. If you choose to enforce SAML authentication across your team, people who are already on your team will not be able to log in with the password and email combination they may have created previously on Parsec. You should make sure every person on your team has been added to your IdP before enforcing SAML. If you do not do this, people will be locked out of their account.

Once you enforce SAML, you can no longer send team invites through Parsec, instead you must add members of your team directly from within your IdP. A member of your team can only go back to their email/password combination from before using SAML if they leave the team. When you're ready, you can choose to email your entire team immediately upon enforcing SAML across the organization, but before you do this, please choose an alias that is easy to remember.