Objective of this document
This document is meant to provide an explanation to the SSO configuration of multi-account provided by second nature. It will highlight the technical steps and setup required on the customer’s end to allow a frictionless implementation of user management across multiple accounts.
Process Overview
The customer currently has a parent Second Nature account connected via Single Sign-On (SSO). All users with the @acme.com email domain are routed to this primary account.
To support different business units or programs, Second Nature allows the use of child accounts — all using the same SSO configuration.
The goal of this setup is to enable a Second Nature customer to maintain a single SAML-based SSO connection while automatically directing users to the correct sub-account based on internal routing logic or attribute mapping within their Identity Provider (IdP).
This document outlines the technical steps for configuring attribute-based routing and integrating child accounts with SSO.
Understanding the Structure
Parent Account: The main Second Nature instance where SSO is already configured for all company users (e.g., ACME).
Child Accounts: Additional instances under the same organization (e.g., ACME_L&D, ACME_HR, etc.).
Routing Logic: The IdP (e.g., Okta, Azure AD, or Workday) sends a specific attribute (such as department, group, or cost center) in the SAML response. This determines which Second Nature account the user should access.
Attribute-Based Routing Concept
Second Nature identifies which child account a user should access based on a SAML attribute value passed during login.
Example attribute options (customizable by ACME):
Attribute Name | Example Values | Route To |
sn_account | L&D | ACME_L&D Child Account |
sn_account | Sales | ACME_Sales Child Account |
sn_account | CS | ACME_CS Child Account |
Required Configuration Steps (ACME IT)
Step 1: Identify or Create an Attribute in the IdP
Choose an existing user field (e.g., Cost Center, Business Unit, or Department) that differentiates users by their intended Second Nature account.
Alternatively, create a new custom attribute (e.g., sn_account) to store this value.
Ensure the attribute is included in the SAML assertion for users authenticating to Second Nature.
Step 2: Configure Attribute Mapping
In the IdP’s SAML configuration for Second Nature, ensure the following attributes are mapped:
Required attributes:
email
first_name
family_name
Additional attribute for routing:
sn_account (or your chosen attribute name) → Value that matches the child account identifier.
Example SAML Assertion Snippet:
<saml:AttributeStatement>
<saml:Attribute Name="email">
<saml:AttributeValue>[email protected]</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="first_name">
<saml:AttributeValue>Jane</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="family_name">
<saml:AttributeValue>Doe</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="sn_account">
<saml:AttributeValue>L&D</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
Additional Technical Notes
Just-in-Time (JIT) Provisioning: Supported — new user accounts will be created upon first login.
SCIM provisioning is supported as well (as long as the SCIM record contains the agreed upon attribute).
SP and IdP Initiated Flows: Both are supported for all accounts.
Attribute Flexibility: Second Nature will map whatever attribute ACME prefers for routing. Please confirm the attribute name and values before integration.
Security: All configurations use standard SAML 2.0 protocols and signed assertions.
Information to Provide to Second Nature
Field | Description |
Account Name | e.g., ACME_L&D |
IdP Metadata File (XML) | Provided from The IdP |
Attribute Name for Routing | e.g., sn_account |
Expected Attribute Values | e.g., L&D, Sales, CS |
Test User Email | To confirm routing and authentication |
Support
If any step requires further clarification, please contact your Second Nature CSM. We can join a technical call to walk the team through the configuration and validation process.