🔐 SAML Single Sign-On (SSO)

PreviousArcwise setup NextUser & Role Management

Last updated 2 days ago

🔐 SAML Single Sign-On (SSO)

Our application supports SAML-based Single Sign-On (SSO) to help organizations centrally manage user authentication through their Identity Provider (IdP), such as Okta, Azure AD, or Google Workspace.

By default, we use Google OAuth to authenticate users. However, once SAML is enabled, Google Sign-In will be disabled. All users in your organization will be required to log in using your configured SAML Identity Provider.

1. Enable SAML in Your Admin Console

In your admin settings:

Navigate to the Authentication section.
Enable the SAML Enabled toggle.
Fill the SAML Metadata of your Identity Provider.
Save the configuration.

📌 Your metadata XML typically starts with:
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="http://www.okta.com/..."

2. Obtain our Service Provider (SP) Metadata

You will need the service metadata to configure our service within your Identity Provider. To obtain it, on the same page, click on the Service Provider Metadata button. You should see a modal with the following information

Entity ID
ACS (Assertion Consumer Service) URL
NameID Format

Use this information to configure a new SAML application in your IdP.

✅ Finalize and Test

Once configured:

Test logging in via your Identity Provider. To do so, click on Sign in with SSO button.
- Sign in with Google will not work anymore, unless you disable SAML.
- SSO must be used on the Web version and on the Admin too.
Ensure user accounts match by email address (as per NameID format).

If you encounter any issues, feel free to reach out to our support team for assistance.

👥 Optional: SCIM for User Provisioning

We also support SCIM (System for Cross-domain Identity Management) to allow automated provisioning and deprovisioning of users from your Identity Provider.

With SCIM, you can:

Automatically create users in our platform when they're assigned access in your IdP.
Automatically deactivate users when they're unassigned or removed in your IdP.
Sync user attributes like name, email, and groups.

To enable SCIM:

For now we only support Bearer Token authentication that must be configured on the Admin.
The base be obtained by cliking on the SCIM Endpoint button.
Configure your Identity Provider (Okta, Azure AD, etc.) with the provided SCIM endpoint and token.
Set up attribute mappings as needed.

📌 SCIM is optional but highly recommended for teams managing users at scale.

PreviousArcwise setup NextUser & Role Management

Last updated 2 days ago

1. Enable SAML in Your Admin Console

In your admin settings:

Navigate to the Authentication section.
Enable the SAML Enabled toggle.
Fill the SAML Metadata of your Identity Provider.
Save the configuration.

📌 Your metadata XML typically starts with:
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="http://www.okta.com/..."

2. Obtain our Service Provider (SP) Metadata

Entity ID
ACS (Assertion Consumer Service) URL
NameID Format

Use this information to configure a new SAML application in your IdP.

✅ Finalize and Test

Once configured:

Test logging in via your Identity Provider. To do so, click on Sign in with SSO button.
- Sign in with Google will not work anymore, unless you disable SAML.
- SSO must be used on the Web version and on the Admin too.
Ensure user accounts match by email address (as per NameID format).

If you encounter any issues, feel free to reach out to our support team for assistance.

👥 Optional: SCIM for User Provisioning

We also support SCIM (System for Cross-domain Identity Management) to allow automated provisioning and deprovisioning of users from your Identity Provider.

With SCIM, you can:

Automatically create users in our platform when they're assigned access in your IdP.
Automatically deactivate users when they're unassigned or removed in your IdP.
Sync user attributes like name, email, and groups.

To enable SCIM:

For now we only support Bearer Token authentication that must be configured on the Admin.
The base be obtained by cliking on the SCIM Endpoint button.
Configure your Identity Provider (Okta, Azure AD, etc.) with the provided SCIM endpoint and token.
Set up attribute mappings as needed.

📌 SCIM is optional but highly recommended for teams managing users at scale.

⚠️ Important Note About Login Options

1. Enable SAML in Your Admin Console

2. Obtain our Service Provider (SP) Metadata

✅ Finalize and Test

👥 Optional: SCIM for User Provisioning

⚠️ Important Note About Login Options

1. Enable SAML in Your Admin Console

2. Obtain our Service Provider (SP) Metadata

✅ Finalize and Test

👥 Optional: SCIM for User Provisioning