SAML Setup Guide
Partner Required Tasks
Access to the VerifyIQ user interface is accomplished via SAML-based Single Sign On (SSO).
You will need to complete the following steps and provide Informed with the resulting federated XML metadata file from your Identity Provider (IdP) for each applicable environment.
1) Setup SAML parameters
You will configure your IdP using the values shown below for ACS URL and Entity ID.
Unless you have previously established SSO with Informed using the v1 parameters below, or are told differently by Informed account reps, you should use the v2 parameters shown below.
v2
ACS URL
| Environment | Value |
|---|---|
| Prod | https://informed-application-auth-prod-pool.auth.us-west-2.amazoncognito.com/saml2/idpresponse |
| Staging | https://informed-application-auth-staging-pool.auth.us-west-2.amazoncognito.com/saml2/idpresponse |
Entity ID
| Environment | Value |
|---|---|
| Prod | urn:amazon:cognito:sp:us-west-2_mNcPHzOmX |
| Staging | urn:amazon:cognito:sp:us-west-2_2fANQXUu0 |
v1 (will be deprecated)
ACS URL
| Environment | Value |
|---|---|
| Prod | https://application-auth-service.prod.informediq-infra.com/application-auth/v1/saml/<InformedID>/callback |
| Staging | https://application-auth-service.staging.informediq-infra.com/application-auth/v1/saml/<InformedID>/callback |
Entity ID
| Environment | Value |
|---|---|
| Prod | VERIFY-IQ-JSON-PROD-<INFORMEDID> |
| Staging | VERIFY-IQ-JSON-STAGING-<INFORMEDID> |
Informed will provide your InformedID when required.
Name ID
When asked to specify the value used for the primary Name ID, please select Email Address.
2) Configure SAML attributes
Please do not include any namespacing component in the naming of these attributes in your IdP app. The attribute names that you define in your IdP app should match the four attribute values shown below exactly, including the case-sensitive camel-casing.
These four attributes will need to be mapped for each of the users receiving access in your system in order for the SAML assertion to work:
| Attribute | Description |
|---|---|
| firstName | The first name of the user |
| lastName | The last name of the user |
| The email address associated to the user | |
| role | The allowed access role for the user. The value that is sent for this attribute must be one of viewer, loan_officer, underwriter or manager as described below |
The first three attributes have very clear relationships to the existing user attributes in your IdP, but you will have discretion over how you implement the role attribute depending on your needs. Initially, for expediency, you can set the value of the role attribute to be the static text manager or loan_officer for the test and development users. Over time, you can add a custom attribute to your users or take the common approach of regular expression-based rules with associated group names.
Roles
The role that your organization assigns to the user will determine their level of access to the VerifyIQ portal. The table below describes the different possible roles available and the resulting level of access.
| Role | Authorized Access |
|---|---|
| viewer | Can access the VerifyIQ portal and search for and view applications, which includes the images and extractions and verifications results |
| loan_officer | Adds the ability to do things like edit/adjust extractions/verifications (see section on Human in the Loop or HITL), upload documents or send text messages to applicants to collect documents |
| underwriter | All of the same functionality as the loan_officer above, including the ability to view and edit extractions and verifications, upload documents and collect documents via SMS. But, this role is blocked from viewing an applicant's uploaded ID images in support of fair lending regulations. |
| manager | All of the above functionality, plus the ability to view the Insights dashboard which contains the reporting and summarization of the data for a given time period. Please note that the Insights dashboard is only established in the production environment. |
3) Send XML metadata
You will be able to log into the Informed VerifyIQ interface after providing your configured app's federated XML metadata file for each environment and Informed has updated your account configuration. To test your set up, you should send metadata files to Informed at support@informed.iq. Informed will confirm once the setup is complete.
4) User login
When each environment configuration is complete, Informed will share customer-specific VerifyIQ login URLs for users to login. URL's will follow the below domain structures for Production and Staging environments:
| Environment | Value |
|---|---|
| Prod | https://<InformedID>.verifyiq.prod.informediq.com |
| Staging | https://<InformedID>.verifyiq.staging.informediq-infra.com |