3LC Single Sign-On

Enterprise customers can request that 3LC be configured with Single Sign-On (SSO) so that users log into 3LC using their organization’s identity provider (IdP) instead of signing up with an email address or a consumer identity provider. Once SSO is configured, users whose email address belongs to one of the configured domains will be redirected to your IdP to authenticate.

How 3LC SSO Works

3LC uses SAML 2.0 to federate identities from your IdP into 3LC. Your IdP acts as the identity provider, and 3LC (via Amazon Cognito) acts as the service provider. When a user signs in, your IdP authenticates them and issues a signed SAML assertion that 3LC consumes to establish the session.

To set up SSO, an administrator in your IdP creates a SAML application that points at 3LC’s service provider endpoints, configures the user claims (also called attributes) that 3LC needs, and shares the resulting IdP metadata URL with the 3LC Account Team.

What to Configure in Your IdP

Regardless of which IdP you use, the SAML application you create needs the following values.

Service provider details

These identify 3LC’s side of the SAML handshake and are the same for every customer:

• Identifier (Entity ID): urn:amazon:cognito:sp:us-east-1_mSo26SdrW

  This points to the Amazon Cognito user pool in 3LC’s AWS infrastructure that 3LC uses to broker SSO identities.

• Reply URL (Assertion Consumer Service URL): https://auth.3lc.ai/saml2/idpresponse

Required claims

3LC requires that the SAML assertion issued by your IdP include the following:

• A NameID identifying the user. The email address of the user is recommended.

• A claim (attribute) named http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress whose value is the user’s email address.

• A claim (attribute) named http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name whose value is the user’s full name.

The exact claim names above are required: 3LC matches on these names, not on shorter aliases that some IdPs may suggest by default. How you map IdP user properties to these claim names depends on the IdP.

Providing the Configuration to 3LC

Once the SAML application is configured in your IdP, locate its federation metadata URL (the URL that returns the IdP’s SAML metadata XML, including signing certificate and SSO endpoints) and email it to the 3LC Account Team, along with the email domain(s) you want associated with this SSO configuration (for example yourcompany.com). 3LC will complete the configuration on its side and confirm when SSO is active for your domain.

Per-IdP Instructions

The following pages walk through the SSO setup for specific identity providers:

• 3LC Single Sign-On with Azure Entra ID

If your organization uses a different IdP, the same service provider details and required claims above still apply. Contact the 3LC Account Team if you would like assistance.