Configuring SAML Single-Sign-On

Enterprise organizations can use SAML to connect with their identity provider, such as Okta or Microsoft Entra ID.

SAML SSO and SCIM User Management

SAML SSO allows organizations to integrate Pivot with their identity provider (IdP), enabling users to log in with their company credentials. This simplifies authentication, improves security, and ensures centralized access management.

Admins can configure SAML in the Domains and Security settings by entering IdP details and verifying the connection. Once SSO is enabled, all users must log in through SSO unless otherwise specified.

Metadata URL: The URL provided by your IdP that contains the SAML metadata.
SamlIdpSigningCertificate: The signing certificate used by the IdP to sign SAML assertions.
EntityID: The unique identifier for your service in the SAML configuration.

Access the SAML configuration

Log in to the service management portal where you will configure SAML.
Navigate to the Security or Authentication settings section.
Select SAML Configuration or SAML 2.0.

Add Metadata URL

Locate the Metadata URL field in the SAML configuration page.
Enter the Metadata URL provided by your IdP.
Example: https://idp.example.com/metadata.xml
Click Save or Update to store the URL.

Configure SamlIdpSigningCertificate

Locate the SamlIdpSigningCertificate field or section.
Depending on your IdP, you can:
- Upload the certificate file (typically in .crt or .pem format), or
- Paste the certificate content directly into the field.
Ensure the certificate begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----.
Click Save or Update to apply the changes.

Set the EntityID

Find the EntityID field.
Enter the value that uniquely identifies your service.
Example: https://service.example.com/saml
Click Save or Update.

Verify configuration

Test the configuration by logging in through your Identity Provider.
Ensure the SAML response is successfully processed.
Review the logs for any errors and resolve them as needed.

Configuring Supported Identity Providers

Create a new SAML application in Azure AD.
Use the application ID URI to derive the EntityID.
Example: If the application ID is 3f218b53-d33c-4dbe-ada7-51a0db5ba71e, then the EntityID should be spn:3f218b53-d33c-4dbe-ada7-51a0db5ba71e.
Go to Application > Manage > Single Sign On and configure:
- EntityID: Your derived EntityID
- Reply URL: https://auth.pivot.app/login/callback/saml
- SignOn URL: https://pivot.app/login
Attributes and claims to include:
- user.givenname
- user.surname
- email
- user.userprincipalname
Download the certificate in base64 format and paste its text into the Signing Certificate field in Pivot.

Pivot Mobile and Desktop App

The Infinite Canvas Block

Audio and Video Messages

Making the Most of Your Personal Space

Integrating with Pivot using Zapier