SAML Setup Guide
Partner Required Tasks
Access to the VerifyIQ user interface is accomplished via SAML-based Single Sign On (SSO).
You will need to complete the following steps and provide Informed with the resulting federated XML metadata file from your Identity Provider (IdP) for each applicable environment. Or, if your IdP solution supports a secure SAML metadata URL, from which Informed can retrieve the metadata as needed, please provide us with the secure URL instead of an XML file. We can also use that approach. There are actually several advantages to using the secure metadata URL approach, most notably not having to coordinate certificate updates in the future.
1) Setup SAML parameters
You will configure your IdP using the values shown below for ACS URL and Entity ID.
ACS URL
| Environment | Value |
|---|---|
| Prod | https://informed-application-auth-prod-pool.auth.us-west-2.amazoncognito.com/saml2/idpresponse |
| Staging | https://informed-application-auth-staging-pool.auth.us-west-2.amazoncognito.com/saml2/idpresponse |
Entity ID
| Environment | Value |
|---|---|
| Prod | urn:amazon:cognito:sp:us-west-2_mNcPHzOmX |
| Staging | urn:amazon:cognito:sp:us-west-2_2fANQXUu0 |
Name ID
When asked to specify the value used for the primary Name ID, please select Email Address.
2) Configure SAML attributes
Please do not include any namespacing component in the naming of these attributes in your IdP app. The attribute names that you define in your IdP app should match the four attribute values shown below exactly, including the case-sensitive camel-casing.
These four attributes will need to be mapped for each of the users receiving access in your system in order for the SAML assertion to work:
| Attribute | Description |
|---|---|
| firstName | The first name of the user |
| lastName | The last name of the user |
| The email address associated to the user | |
| role | The allowed access role for the user. The value that is sent for this attribute must be one of viewer, loan_officer, underwriter or manager as described below |
The first three attributes have very clear relationships to the existing user attributes in your IdP, but you will have discretion over how you implement the role attribute depending on your needs. Initially, for expediency, you can set the value of the role attribute to be the static text manager or loan_officer for the test and development users. Over time, you can add a custom attribute to your users or take the common approach of regular expression-based rules with associated group names.
Roles
The role that your organization assigns to the user will determine their level of access to the VerifyIQ portal. The table below describes the different possible roles available and the resulting level of access.
| Role | Authorized Access |
|---|---|
| viewer | Can access the VerifyIQ portal and search for and view applications, which includes the images and extractions and verifications results |
| loan_officer | Adds the ability to do things like edit/adjust extractions/verifications (see section on Human in the Loop or HITL), upload documents or send text messages to applicants to collect documents |
| underwriter | All of the same functionality as the loan_officer above, including the ability to view and edit extractions and verifications, upload documents and collect documents via SMS. But, this role is blocked from viewing an applicant's uploaded ID images in support of fair lending regulations. |
| manager | All of the above functionality, plus the ability to view the Insights dashboard which contains the reporting and summarization of the data for a given time period. Please note that the Insights dashboard is only established in the production environment. |
3) Send XML metadata
You will be able to log into the Informed VerifyIQ interface after providing your configured app's federated XML metadata file for each environment and Informed has updated your account configuration. To test your set up, you should send metadata files/info to Informed at support@informed.iq. Informed will confirm once the setup is complete.
4) User login
When each environment configuration is complete, Informed will share customer-specific VerifyIQ login URL's for users to login. URL's will follow the below domain structures for Production and Staging environments:
| Environment | Value |
|---|---|
| Prod | https://{partnername}.verifyiq.prod.informediq.com |
| Staging | https://{partnername}.verifyiq.staging.informediq-infra.com |