Introduction
For SSO (Single Sign-On) integration, Innomesh acts as a Service Provider (SP) and can integrate with an identity provider (IdP) set up by your organisation. The most common use case is integrating with Active Directory or Entra ID using Security Assertion Markup Language 2.0 (SAML2).
Integration Steps
Step 1: Provide Your Organisation’s SAML Metadata
To get started, provide Innomate with your organisation’s SAML metadata. This is preferably supplied as a URL so that it can be dynamically retrieved, but providing it as a file is also acceptable.
Step 2: Configure Your Organisation’s IdP
Your IdP needs to be configured with the following values, which Innomate will supply:
-
Add relying party trust for AWS (required for some IdPs):
https://signin.aws.amazon.com/static/saml-metadata.xml -
Configure the SAML Audience (Entity ID) for Innomesh Portals (provided by Innomate):
urn:amazon:cognito:sp:<aws-region>_xxxxxxxxx -
Configure the Assertion Consumer Service (ACS) URL for Innomesh Portals:
https://<tenant>.auth.<aws-region>.amazoncognito.com/saml2/idpresponse
<tenant> with your organisation’s Innomesh tenant identifier. Innomate will provide the exact values for your environment.Step 3: Configure SAML Assertion Attributes
Your IdP must be configured to return the following SAML assertion attributes:
| Attribute Name | Format | Description |
|---|---|---|
givenName (urn:oid:2.5.4.42) | Text | User’s given name |
sn (urn:oid:2.5.4.4) | Text | User’s family name |
mail (urn:oid:0.9.2342.19200300.100.1.3) | Email address | User’s email address |
memberof | Text | Optional — used for RBAC role assignment |
The memberof attribute accepts the following values:
| Value | Access Level |
|---|---|
Innomesh_admins | Admin access for Room Manager |
Innomesh_users | Restricted technician access for Room Manager |
Innoportal_admins | Admin access for Portal |
Innoportal_users | Restricted technician access for Portal |
Optional Step: Role-Based Access Control via memberof
memberof is a custom attribute Innomesh uses to map users to roles defined in its RBAC engine. Multiple roles can be assigned by including multiple memberof attribute values in the SAML assertion:
<Attribute Name="memberof">
<AttributeValue>Innomesh_admins</AttributeValue>
<AttributeValue>Innoportal_admins</AttributeValue>
</Attribute>In an Active Directory or Entra ID integration, groups can be mapped to memberof values, allowing administrators to control Innomesh user authorisation directly from their directory — simply by placing users into the relevant groups.
memberof, Innomesh’s built-in RBAC engine can be used to assign user roles directly within the platform instead. Contact Innomate to configure this.Active Directory Group Mapping
For organisations using Active Directory, the recommended approach is to create AD groups that correspond to the memberof values:
- Create an AD group named
Innomesh_adminsand add users who require admin access to Room Manager. - Create an AD group named
Innoportal_adminsand add users who require admin access to Portal. - Create equivalent groups for
_userslevel access as needed.
When a user authenticates, the IdP includes their AD group memberships in the SAML assertion’s memberof attribute, and Innomesh maps these to the appropriate access level.
Useful Links
Frequently Asked Questions
Can Innomate provide a signing certificate? Yes, on request. A signing certificate is typically related to the IdP sign-out flow, which is not usually enabled, so one should not generally be required.
Does Innomesh support IdP-Initiated SSO? No. Attempts to perform an IdP-initiated SSO will result in an error. Users must navigate to the Innomesh login page to initiate the SSO flow.
Will Innomesh be signing AuthnRequests? Not at this time — this is a current limitation of the underlying identity platform.
Does Innomesh expect unencrypted SAML responses? Yes.
Does the Innomesh ACS use HTTP-POST binding? Yes.
Does Innomesh expect a NameID in the SAML assertion?
Yes — however, only its presence is required. The value itself is not used, but it must be no longer than 128 characters.
Can permissions be assigned locally if the IdP does not support memberof?
Service-side authorisation setup is available but not self-service. Innomate must configure it per user, making it impractical for large user bases.
Why am I being redirected back to the SSO selection page each time I log in? This typically indicates the SAML assertion attributes are configured incorrectly — refer to Step 3 above.
If using the memberof feature, this may also occur if users belong to too many groups, since each attribute has a hard limit of 2048 characters. Either reduce the number of groups exposed to Innomesh to only those required, or contact Innomate to disable the memberof feature and manage user roles directly within Innomesh instead.