Groupsite SSO (SAML 2.0)
The following documentation provides details on Groupsite SSO which uses the latest SAML 2.0 implementation.
Below is an explanation and example of the HTTPS POST request your system will need to send to Groupsite to log users in. Our SSO system is setup to keep Users and Group Memberships in sync with your internal authentication platform.
As an SSO Service Provider, Groupsite gives you full management of the following:
- Add/Remove User from a Group
- Add/Remove User from a Subgroup
- Automatic creation of new User and/or Email address
- Synchronizing User attributes (i.e. First Name, Last Name, Timezone, etc)
Groupsite will create and share the following settings during account setup. An exception to this are the External Login and External Logout urls, which the customer must provide for us.
All SSO communication is encrypted and protected using an X.509 private/public key pair provided by Groupsite. The private key should be kept private! 😃 And is only shared by your tech team and ours. We can change the private key when needed if it is ever compromised (for example if you have a tech employee that had access to the key but is leaving your company).
- Please contact Groupsite Support to have an X.509 key issued and linked to your account.
- The X.509 public key needs to be included in the SAMLResponse document in order for your request to be accepted. We use sha256 certificates by default.
- We are happy to use an X.509 key provided by your team if you prefer. Please make sure it is sha256
Each SSO customer will be given a unique code which is used by our service to identify the organization that we are performing logins for. Going forward we will refer to this unique code as the Customer SSO Code.
Most likely this code will use your company's name or abbreviation in all lower case. For example, an organization with the name "Acme Co" may be given a code: acmeco
The external login and external logout urls tell us where to redirect the user when they need to log in or out of the platform. You will need to send us your preferred urls, for example:
https://yourcompany.com/login
https://yourcompany.com/logout
We may already have your login/logout urls if you are a current Groupsite SSO customer.
Customers will need to create and send a SAMLResponse to sso.groupsite.com:
- The SAMLResponse is an XML document you will create with SAML 2.0 specifications.
- The document uses XML attributes to specify email address, user and membership settings.
- The document must include an X.509 public key to authenticate with our system.
- The final document then must be Base64 encoded which allows us to send it in the URL of the POST request.
- Terminology:
- Groupsite.com is the Service Provider (SP)
- Customer is the Identity Provider (IdP)
- uid >> Required - Unique ID for each user
- email >> Required
- first_name >> Required
- last_name >> Required
- groups >> Required - multiple Group Codes (subdomains), each with their own <AttributeValue> tag. Use the value ALL to join the user to all groups in a division:
- subgroups >> Optional - multiple Subgroup Codes, each with their own <AttributeValue> tag:
- city >> Optional
- state >> Optional
- postal_code >> Optional
- timezone >> Optional
The uid is a unique identifier for each user, supplied by your login system.
email, first_name and last_name fields are *required and synchronized on every login.
The city, state, postal_code and timezone fields are optional and can be used to keep these values in sync between platforms.
The SSO Url is the url which your login system will need to send a POST request to. It consists of your Customer SSO Code and the Base64 encoded SAMLResponse parameter. There are three parts to the SSO Consumer URL
- Your Customer SSO Code (provided by GS support)
https://sso.groupsite.com/saml/consume/acmeco?SAMLResponse=<A8Y3U......>
There are two parameters, one required and one optional, to send in the POST request to your Consumer URL:
- Required - SAMLResponse (Base64 encoded) passed as a POST parameter
- Optional - RelayState - a url you would like us to redirect the user to after successful login
As mentioned above, you can send us a full url to redirect your user to after a successful login by including a RelayState parameter alongside the SAMLResponse in your POST request. The RelayState should contain the full link including "https://", host and an optional path:
RelayState=https://specific.groupsite.com/blog
If the RelayState is not present then we will send the user to a summary page where they can choose which Groupsite they would like to go to.

If there's been an abuse, please report it here