Back
5 min read
Sep 1, 2024

Configuring SAML Single-Sign-On

Enterprise organizations can use SAML to connect with their identity provider, such as Okta or Microsoft Entra ID.

Prerequisites

Before you begin, ensure you have the following information:

  • Metadata URL: The URL provided by your Identity Provider (IdP) that contains the SAML metadata.
  • SamlIdpSigningCertificate: The signing certificate used by the IdP to sign SAML assertions.
  • EntityID: The unique identifier for your service in the SAML configuration.

Step 1: Access the SAML Configuration

  1. Log in to the service management portal where you will configure SAML.
  2. Navigate to the Security or Authentication settings section. // TODO: Update based on the service.
  3. Select SAML Configuration or SAML 2.0.

Step 2: Add Metadata URL

  1. In the SAML configuration page, locate the Metadata URL field.
  2. Enter the Metadata URL provided by your Identity Provider.
  • Example: https://idp.example.com/metadata.xml
  1. Click Save or Update to store the Metadata URL.

Step 3: Configure SamlIdpSigningCertificate

  1. Locate the SamlIdpSigningCertificate field or section.
  2. Depending on the service, you may either:
  • Upload the signing certificate file (typically in .crt or .pem format).
  • Copy and paste the certificate content directly.
  1. Ensure the certificate is correctly formatted:
  • The certificate should begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
  1. Click Save or Update to apply the certificate.

Step 4: Set the EntityID

  1. Find the EntityID field within the SAML configuration settings.
  2. Enter the EntityID value that uniquely identifies your service.
  • Example: https://service.example.com/saml
  1. Click Save or Update to confirm the EntityID.

Step 5: Verify Configuration

  1. After saving all changes, test the SAML configuration by initiating a login attempt through the Identity Provider.
  2. Verify that the SAML response is successfully processed by your service.
  3. Check the logs for any errors and resolve them as needed.

Configuring Supported Identity Providers

Microsoft Entra ID

Formerly Azure AD

  • Create a new SAML application in Azure AD.
  • Your application ID URI will be used to derive EntityID, example if application id is 3f218b53-d33c-4dbe-ada7-51a0db5ba71e then EntityID should be spn:3f218b53-d33c-4dbe-ada7-51a0db5ba71e.
  • Add the Pivot URL in the “Application > Manage > Single Sign On” as EntityID, add Reply URL(https://auth.pivot.app/login/callback/saml), SignOn URL(https://pivot.app/login).
  • Attributes and Claims: Add the required attributes and claims(user.givenname, user.surname, email, user.userprincipalname).
  • Download the certificate (base64) and paste its text content in Signing Certificate.

Google Workspace

Okta

Was this guide helpful?

Prev

Space Sharing
Next

Enterprise Security Settings