Aptify SAML SSO Configuration
VIDEO TRANSCRIPT | Recorded: 2025-12-19 | Verify against current system state
Abstract¶
This session provides comprehensive coverage of SAML SSO configuration in Aptify's eBusiness system. Jeff explains the SAML plugin architecture, stored procedure customization for assertion attributes, and configuration of service providers including Higher Logic, SMApply, RhythmQ, and CraftCMS. The session also covers key differences when migrating to Salesforce connected apps, including limitations on attribute mapping and the critical issue of user identity changes between systems.
Key Procedures¶
- SAML plugin was purchased separately; now free add-on to Aptify
- Key stored procedure:
SP_GetSAMLAssertionAttributes- customize for each provider - Stored procedures MUST be created/saved within Smart Client, not directly in SSMS (will be overwritten)
- Ask vendors: Do they use SAML or OAuth? SAML uses this integration; OAuth uses Identity Server
- Name ID is always Web User User ID (NOT Person ID) - cannot be changed
- Custom attributes passed via assertion attributes database object field
- Skip Single Logout - doesn't work reliably, vendors agree it's not worth it
- Start simple when configuring: Issuer Name, ACS URL, Public Key if needed, then add complexity
- SAML Trace browser extension essential for debugging handshakes
- For Salesforce: access connected apps via Setup → App Manager (only way that works)
Notable Statements¶
- 0:00:36 "This plugin creates a couple of new entities in Aptify that revolve around SAML providers and SAML configuration. The big one that you need to know about is the stored procedures."
- 0:01:12 "These are Aptify SQL stored procedures that need to be entered and saved within Smart Client. You don't need to be creating them directly through SSMS or it's going to get overwritten."
- 0:04:01 "The name ID for Aptify is always web user, user ID. You cannot change this. This is not the person ID... My person ID is 1599753. My user ID starts with a nine. So it's not the same number."
- 0:05:02 "Single logout - I just have not had very good luck with single logout. I have tried to utilize it in the past and it just doesn't seem to work. So I usually skip it."
- 0:10:44 "When you're migrating to Salesforce connected apps, you need to just kind of do a copy of this information... What you're trying to do is match one to one so that you don't have to rebuild anything."
- 0:12:38 "Attribute mapping in Salesforce is a little bit different... Salesforce has reserved attribute names. The attribute values come from the user object. Only the fields that are on the user object can be used."
- 0:13:45 "User identity is going to change, and this is the biggest problem... The user ID is absolutely going to change. Before it was the Aptify user web ID. In Salesforce it's going to be a GUID."
- 0:17:30 "There are so many ways for things to go wrong with SAML... my go-to is just to make it as simple as possible up front. Don't complicate it by having certificates or anything like that at the beginning."
- 0:24:37 "It can take months for this to work for each of the vendors... some vendors are requiring a cost that's associated to moving to a different SAML integration."
Systems & Configurations¶
Service Providers Using SAML¶
| Provider | Status | Notes |
|---|---|---|
| Higher Logic Communities | Active | Custom SAML request modifications made |
| BoardEffect | Deprecated | Going away; uses web group restriction |
| API Source (AANP Store) | Active | Sandbox available for testing |
| RhythmQ Awards | Active | Each site needs separate config |
| Zendesk | Active | Required full claim URI support |
| SessionBoard | Used | SAML integration |
| SMApply | Active | Verified working in Salesforce staging |
| CraftCMS | Active | Custom code issue after handshake |
| Conference Compass | OIDC | Uses OIDC, not SAML |
Aptify SAML Provider Configuration Fields¶
| Field | Description | Required |
|---|---|---|
| Name | Display name for internal identification | Yes |
| Enabled | Toggle to enable/disable without deleting | Yes |
| Issuer Name | Must match exactly what vendor provides | Yes |
| ACS URL | Assertion Consumer Service URL; can be blank but recommended | Recommended |
| Single Logout | Skip - doesn't work reliably | No |
| Public Key | Required if verifying SAML response signature | Conditional |
| Attributes Database Object | Stored procedure for custom attributes | Yes |
| Web Group | Restrict SSO to specific web group members | Optional |
Common Assertion Attributes¶
- First Name
- Last Name
- Member Type (AANP-specific)
- Is Current Member (boolean)
- Membership Expiration Date
- Member Groups (custom JSON function)
Salesforce Connected Apps Status¶
| App | Status | Notes |
|---|---|---|
| AANP (ITC-created) | Active | home.aanp.org Experience Cloud |
| AANP_CraftCMS | Testing | Handshake works; custom code failing after |
| AANP_SMApply | Verified | User not duplicated, existing user found |
| AANP_ConferenceCompass | Verified | Finds user by email |
| AANP_RQAwards | Testing | Each site different; one verified |
| AANP_Store | Testing | Sandbox from API Source |
Credentials/Access Mentioned¶
- Aptify Smart Client (eBusiness service access)
- SAML SSO Service Providers menu in eBusiness
- SAML SSO Logs for troubleshooting
- Salesforce Setup → App Manager
- GitHub commit history for SAML code changes
Errors & Troubleshooting¶
- Issue: Stored procedure changes overwritten
- Cause: Creating/editing stored procedures directly in SSMS
- Resolution: Always use Aptify Smart Client to save stored procedures
-
Timestamp: 0:01:12
-
Issue: User ID mismatch after Salesforce migration
- Cause: Aptify uses web user ID; Salesforce uses GUID
- Resolution: Use email or person ID for matching; work with vendor to use alternate identifier
-
Timestamp: 0:13:45
-
Issue: IDP certificates expired
- Cause: Not actively using certificate verification
- Resolution: Update certificates if needed; documentation available; focus on Salesforce instead
-
Timestamp: 0:07:02
-
Issue: CraftCMS SAML half-working
- Cause: Custom code on AANP side failing after successful handshake/authentication
- Resolution: Debug custom code in CraftCMS; handshake itself works correctly
-
Timestamp: 0:21:33
-
Issue: Vendor only supports single SSO provider
- Cause: Some vendors cannot run Aptify and Salesforce SAML simultaneously
- Resolution: Test in vendor sandbox; document changes; coordinate rollover timing
- Timestamp: 0:12:01
Salesforce Migration Notes¶
Key Differences from Aptify¶
- Attribute Source: Salesforce attributes must come from User object fields (not stored procedures)
- Reserved Names: Salesforce has reserved attribute names that must be used
- Custom Logic: Complex logic (like member groups JSON) may require Apex code or formula fields
- User Identity: GUID-based user ID vs. Aptify's numeric web user ID
- Well-Known Endpoint: Salesforce provides metadata discovery endpoint (Aptify did not)
Migration Strategy¶
- Copy issuer name and ACS URL from Aptify config
- Work with vendor - IDP certificate and ACS URL will be different
- Best case: Vendor can run both Aptify and Salesforce configs simultaneously
- Use vendor sandbox if available for testing
- Document all changes for production rollover
- Allow 2-3 weeks to 2-3 months per vendor for full migration
- Some vendors may charge for migration assistance
Debugging Tools¶
- SAML Trace: Browser extension for Chrome/Edge - shows all SAML handshakes
- Certificate Tools: samltool.com, onetimesecret.com for generating certificates
- Metadata Discovery: Use Salesforce well-known endpoint to share settings
- SAML SSO Logs: Available in Aptify eBusiness service
Transcript Gaps & Quality Notes¶
- Recording from live session with McKenna Stout
- Duration: ~25 minutes
- Presenter: Jeff Sikes
- Mentions documentation links to be included separately
- References GitHub commit history for code changes
- Some repetitive text in transcript due to audio capture
- Audio quality: Good