Configure SAML SSO

Configure SAML SSO

SAML (Security Assertion Markup Language) is the industry-standard SSO solution. If you are already using a SAML Identity Provider such as Okta or Active Directory Federation Services, then you should authenticate via SAML SSO. The steps to configure SAML SSO are listed below.

Specifically, we support IDP-initiated Single Sign-On POST Binding. We are expecting a signed SAML Response with a signed SAML Assertion which should be Base64 encoded. Note that both the Response and the Assertion should be signed.

Prerequisites

Before utilizing SAML Single Sign-On, you must have completed the following steps:

Step 1: Make sure users are set up correctly

  1. Create users in Yext, unless you are using Just in Time Provisioning. For more information on Just in Time Provisioning, see the Just in Time Provisioning guide.
      • To add users via the platform, see Add a new user, or Add users in bulk. To do this via the API, visit Users: Create endpoint.
      • Every user in your system can have a corresponding user in Yext.
      • The username field must match the user’s username in the Identity Provider; the username should be the same value as the NameID which is passed in the SAML assertion.
      • For most clients, the roleId is typically 9 or 20, Account Manager. You can also follow the steps in the Manage Users Guide to retrieve Available Roles. If you need to create a custom user role, visit Create a Custom User Role for instructions.
  2. Make sure users are configured for SSO.
    • Via the API make sure that sso field is set to true. Or, in the platform, make sure that Is SAML User is set to Yes.

Step 2: Make sure your accounts has been configured to use SAML SSO

  • Navigate to Account Settings, do you see the SAML Configuration option in the sidebar? If you do, then your account is already configured to use SAML Single Sign-On. If not, please contact your Yext Account Manager to enable this for your account.
  • Once your account has been configured, you will be able to access a SAML Configuration page within your Account Settings. On the SAML Configuration page, you will be able to view your Yext SAML Assertion Consumer Service URL and Yext SAML Audience URI (Service Provider Entity ID) that will be needed by your Identity Provider. Yext will need the Identity Provider URL (Identity Provider Entity ID) and Certificate from your Identity Provider.

Create SAML Configuration

Once you have completed the prerequisite steps, you will then need to create your SAML configuration. This can be done manually, by inputting all of your SAML settings. Or, you can import your SAML 2.0 settings from a Metadata XML file or Metadata URL that you obtain from your Identity Provider.

If an XML file is uploaded, our system will parse the XML file to autofill as many of the settings as possible. If a URL is provided, our system will download the configuration file at the URL, parse it, and autofill as many of the settings as possible. After the information is parsed, you can see and review the successfully parsed settings. If any settings are not detected, those will need to be filled in manually. If the provided XML file contains multiple configurations, only the first configuration will be ingested.

To set up SAML Configuration:

  1. Log into the Yext platform.
  2. Hover over your name in the top navigation bar and click Account Settings.
  3. Click SAML Configuration in the sidebar.
  4. Determine how you want to input your SAML configuration. To import your SAML Configuration, click on the Import SAML Configuration button and follow the steps below. Otherwise, enter the data manually for each field. See the table below for more details on each field in the SAML Configuration screen.
    1. After clicking Import SAML Configuration, click Select Source and select your Configuration Source. A dialog box appears.
      • Upload XML File: Select the XML file you’d like to import and click Open. After selecting the correct file, click Import. A dialog box appears.
        • Note: If the XML that was uploaded has multiple configurations, settings will be read from the first configuration.
      • Input URL: Enter the URL in the textbox and click Import.
    2. Fields that were successfully parsed from the URL or file will be filled in.
  5. Confirm that the fields contain the correct information, and manually enter any additional settings.
    • If you don’t have all the required information, you can click Save Progress. A dialog box appears. Click Save, and return once you have all the information.
  6. Once you have entered all of the required information, click Confirm to save your settings.

Populate the following fields as appropriate:
Field Read from Metadata? Description
SSO Login URL Yes The URL users will be directed to after logging in.
SSO Logout URL Yes The URL users will be directed to when they log out.
IDP Issuer Yes The unique URL that identifies your identity provider in SAML assertions sent to Yext.
Certificate Yes The certificate contains the public key we will use to verify that the SAML authentication requests we receive are issued by your IDP.
SAML Version Yes This should be 2.0
Just in Time Provisioning No Select whether or not you would like to enable Just in Time Provisioning. For more information, see Just in Time Provisioning.

Set up a Yext App in your Identity Provider

Next, you will need to set up a Yext App in your Identity Provider. The steps for this will differ depending on which provider you use. Click on the link below for specific steps to set this up in the corresponding identity provider.