Configuring SAML ID Providers for Sync
Configuring SAML ID Providers for Sync
Please follow the instructions below to configure your Azure, Okta, or other SAML based ID providers for Logitech Sync. Once configured, you can finish self service SSO setup directly through Logitech Sync.
Configuring Azure Active Directory
Add an Enterprise Application to your Azure Active Directory with the following steps:
Under Enterprise applications, select New application > Create your own application
For Name, enter: Logitech Sync
Select Integrate any other application you don't find in the gallery, click CREATE
Under Properties, set User assignment required? to No and set Visible to users? to No
Alternatively, under User and groups, assign the users and/or groups who can sign in to Sync via SSO. Note, however, that assigned users still need to be invited by an Owner from within Sync Portal.
Save this image to your local filesystem and then upload it as the application logo:
Under Single Sign-On, select SAML
In Basic SAML Configuration, set the following values:
Identifier (Entity ID):
US-3
urn:amazon:cognito:sp:us-west-2_DWzS32pTu
US-2
urn:amazon:cognito:sp:us-west-2_dbVjd4yeO
US-1
urn:amazon:cognito:sp:us-west-2_0FrsBFobj
EU-1
urn:amazon:cognito:sp:eu-central-1_WPJIm5DVv
FR-1
urn:amazon:cognito:sp:eu-west-3_2d7lWcJfk
CA-1
urn:amazon:cognito:sp:ca-central-1_vy7w7nSAM
Reply URL (Assertion Consumer Service URL):
US-3
US-2
US-1
EU-1
FR-1
CA-1
Sign on URL:
US-3,US-2,US-1
https://sync.logitech.com/sso/<your email domain>
EU-1
https://eu.sync.logitech.com/sso/<your email domain>
FR-1
https://fr.sync.logitech.com/sso/<your email domain>
CA-1
https://ca.sync.logitech.com/sso/<your email domain>
Relay state: <leave blank>
Logout URL: <leave blank>
In User Attributes & Claims, verify or add the following claims. You need to use the full URI for the claim name:
Claim name
Value
Unique User Identifier (Name ID)
user.userprincipalname [nameid-format:emailAddress]
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
user.mail
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
user.givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
user.surname
Under SAML Signing Certificate the field App Federation Metadata Url should be populated. Copy the value to clipboard and provide it when requested.
Configuring Okta
Create a SAML application in Okta with the following steps:
Under Applications, choose Create App Integration
Complete the wizard using default settings, except for:
Sign on method: SAML 2.0
App name: Logitech Sync
Do not display application icon to users: ✔
Do not display application icon in the Okta Mobile app: ✔
Single sign on URL:
US-3
US-2
US-1
EU-1
FR-1
CA-1
Audience URI (SP Entity ID):
US-3
urn:amazon:cognito:sp:us-west-2_DWzS32pTu
US-2
urn:amazon:cognito:sp:us-west-2_dbVjd4yeO
US-1
urn:amazon:cognito:sp:us-west-2_0FrsBFobj
EU-1
urn:amazon:cognito:sp:eu-central-1_WPJIm5DVv
FR-1
urn:amazon:cognito:sp:eu-west-3_2d7lWcJfk
CA-1
urn:amazon:cognito:sp:ca-central-1_vy7w7nSAM
Attribute statements. You need to use the full URI for the attribute name:
Name
Name Format
Value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
URI Reference
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
URI Reference
user.firstName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
URI Reference
user.lastName
I'm an Okta customer adding an internal app: ✔
Save this image to your local filesystem and then upload it as the application logo:
On the Assignments tab for your app, assign the people and/or groups who have access to Logitech Sync via SSO. Please note, users still need to be explicitly invited from within Sync. Therefore, the recommendation to assign an appropriate group or Everyone to Logitech Sync.
OPTIONAL: Sync does not support ID Provider initiated sign in. If you want to show Logitech Sync in the list of Okta applications you need to add it as a Bookmark app. Follow these steps from the Okta documentation using these settings:
Application label: Logitech Sync
URL:
US-3,US-2,US-1
https://sync.logitech.com/sso/<your email domain>
EU-1
https://eu.sync.logitech.com/sso/<your email domain>
FR-1
https://fr.sync.logitech.com/sso/<your email domain>
CA-1
https://ca.sync.logitech.com/sso/<your email domain>
On the Sign On tab for your app, look for the Metadata URL hyperlink. Copy the value to clipboard and provide it when requested.
Configuring SAML Identity Provider
Configure your SAML 2.0 identity provider using these settings, where applicable:
Application name: Logitech Sync
Entity ID / Audience:
US-3
urn:amazon:cognito:sp:us-west-2_DWzS32pTu
US-2
urn:amazon:cognito:sp:us-west-2_dbVjd4yeO
US-1
urn:amazon:cognito:sp:us-west-2_0FrsBFobj
EU-1
urn:amazon:cognito:sp:eu-central-1_WPJIm5DVv
FR-1
urn:amazon:cognito:sp:eu-west-3_2d7lWcJfk
CA-1
urn:amazon:cognito:sp:ca-central-1_vy7w7nSAM
Assertion Consumer Service (ACS) URL:
US-3
US-2
US-1
EU-1
FR-1
CA-1
ACS Validator:
US-3
^https:\/\/auth-2\.sync\.logitech\.com\/saml2\/idpresponse$
US-2
^https:\/\/auth-1\.sync\.logitech\.com\/saml2\/idpresponse$
US-1
^https:\/\/auth\.sync\.logitech\.com\/saml2\/idpresponse$
EU-1
^https:\/\/auth-eu\.sync\.logitech\.com\/saml2\/idpresponse$
FR-1
^https:\/\/auth-fr\.sync\.logitech\.com\/saml2\/idpresponse$
CA-1
^https:\/\/auth-ca\.sync\.logitech\.com\/saml2\/idpresponse$
Relay state: <leave blank>
Sign out URL / Logout URL: <leave blank>
Sign in URL / Login URL:
US-3,US-2,US-1
https://sync.logitech.com/sso/<your email domain>
EU-1
https://eu.sync.logitech.com/sso/<your email domain>
FR-1
https://fr.sync.logitech.com/sso/<your email domain>
CA-1
https://ca.sync.logitech.com/sso/<your email domain>
The following claims must be included in the SAML sign-in response (use the full URI as the claim name):
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier (i.e. NameID)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
The first claim is probably included by default. You will probably need to configure the others as custom parameters, claims or attributes. The values should be mapped from the appropriate fields in your ID provider; e.g. Email, First Name, and Last Name.
Remember to grant access to Logitech Sync to the appropriate users/groups in your directory. Note, however, that Sync does not support just-in-time (JIT) provisioning. This means that users also need to be invited explicitly from within Sync itself. We therefore recommend that you grant access to a broad group of users and control individual user access from within Sync itself.
Logitech Sync does not support identity provider-initiated sign in. Service provider sign in is initiated at the following URL:
US-3,US-2,US-1
https://sync.logitech.com/sso/<your email domain>
EU-1
https://eu.sync.logitech.com/sso/<your email domain>
FR-1
https://fr.sync.logitech.com/sso/<your email domain>
CA-1
https://ca.sync.logitech.com/sso/<your email domain>
(e.g. https://sync.logitech.com/sso/logitech.com)
If your ID provider supports it, upload the following icon for Logitech Sync:
Once the integration is configured please provide the Identity Provider Metadata URL, sometimes called Issuer URL. Copy the value to clipboard and provide it when requested.
Sync Doesn't Support IdP Initiated Sign in (Okta)
Unfortunately, Sync does not support ID provider initiated sign-in. Are you able to sign in with SSO at https://sync.logitech.com/sso?
There is a workaround for Okta:
If you want to show Logitech Sync in the list of Okta applications you need to add it as a Bookmark app. Follow these steps from the Okta documentation using these settings:
Application label: Logitech Sync
URL:
US-3,US-2,US-1
https://sync.logitech.com/sso/<your email domain>
EU-1
https://eu.sync.logitech.com/sso/<your email domain>
FR-1
https://fr.sync.logitech.com/sso/<your email domain>
CA-1
https://ca.sync.logitech.com/sso/<your email domain>