Skip to main content

Integration - SAML SSO

Follow these steps to set up your SAML SSO

Matt Szczurek avatar
Written by Matt Szczurek
Updated yesterday

Overview

SAML/SSO allows JIT (Just-in-Time) provisioning of organization members in your Trust Center.

For Enterprise customers, once the SAML/SSO is configured, our SCIM provisioning/directory sync feature will also become available.

​Once the SAML/SSO integration is active, any user assigned the SafeBase app in your IdP will have access to the backend of your Trust Center. You and your IT team should only assign the SafeBase SAML app to those individuals at your company who need to administer and configure the Trust Center.

To configure SAML/SSO for your Trust Center, please review the following and submit a ticket when ready.

While SAML/SSO manages provisioning for internal organization members, access to Trust Center content for external visitors remains unaffected and leverages the access request and magic-link flows. See this help article for more information on the difference between managing Organization Members and Account Members.

Setup Instructions

Already have a Connection ID? Skip to the next step: configuring your IDP.

How to see if I have a Connection ID

Found in the Security section of the Trust Center Settings.

1. Contact Support to receive your Connection ID (Optional)

  1. Send a message to our SafeBase live chat or submit a ticket and select the option to Setup a New SAML/SSO Configuration

    1. "Configure my Trust Center" -> "SAML/SSO"

  2. Follow the prompts to provide your Identity Service Provider (IdP)

    1. Note: Do not provide a Setup XML or Metadata URL if you have not received your Connection ID yet.

  3. Use the Connection ID provided by our support team member in the next step to configure your IdP.

Once the SafeBase team member sends the Connection ID, it will be available in the Security section of the Trust Center Settings for future reference.

Expand for screenshot

Don't enable the Enforce SAML setting until the setup has been completed and successfully tested!

2. Configure your Identity Provider (IdP)

The next step will differ depending on your Identity Provider

Okta Instructions

Before You Start:

  • Replace the {CONNECTION-ID} in each example with the value SafeBase provided in the last step.

    • e.g. - urn:auth0:safebase:company-saml

  • Please enter these values manually. We have identified a copy/paste bug in our help articles that will insert invisible Unicode characters.

  • Before accessing the Trust Center, ensure that users are properly assigned the app in Okta.

SSO URL:

https://auth.safebase.io/login/callback?connection={CONNECTION-ID}

Audience URI:

urn:auth0:safebase:{CONNECTION-ID}

Default RelayState:
Leave this blank

Name ID Format:
Unspecified

Application username:
Okta username

Attribute Statements:

Name

Name format

value

firstName

Unspecified

user.firstName

lastName

Unspecified

user.lastName

email

Unspecified

user.email

id

Unspecified

user.login

Expand below for a screenshot example

OneLogin Instructions

Before You Start:

  • Replace the {CONNECTION-ID} in each example with the value we provided.

    • e.g. - urn:auth0:safebase:company-saml

  • Please enter these values manually. We have identified a copy/paste bug in our help articles that will insert invisible Unicode characters.

  • Before accessing the Trust Center, ensure that users are properly assigned the app in OneLogin.

ACS (Consumer) URL:

https://auth.safebase.io/login/callback?connection={CONNECTION-ID}

Relay State:

https://app.safebase.io/api/auth/login?returnTo=%2Fdashboard

Audience:

urn:auth0:safebase:{CONNECTION-ID}

Recipient:

https://auth.safebase.io/login/callback?connection={CONNECTION-ID}

ACS (Consumer) URL Validator:

^https:\\/\\/app\\.safebase\\.io

Login URL:

https://app.safebase.io

Custom attributes:

Attribute

Maps to

First name

firstName

Last name

lastName

Email

email

Username

id

Google SAML/SSO Instructions

Before You Start:

  • Replace the {CONNECTION-ID} in each example with the value we provided.

    • e.g. - urn:auth0:safebase:company-saml

  • Please enter these values manually. We have identified a copy/paste bug in our help articles that will insert invisible Unicode characters.

  • Before accessing the Trust Center, ensure that users are properly assigned the app in Google Workspace.

ACS URL

https://auth.safebase.io/login/callback?connection={CONNECTION-ID}

Entity ID

urn:auth0:safebase:{CONNECTION-ID}

Start URL

Leave this blank

Attribute Mapping (Basic Information):

Google Directory Attributes

App attributes

First name

firstName

Last name

lastName

Primary email

user_id

Primary email

email

Expand for screenshot

If you receive an Error: app_not_enabled_for_user, please enable user access.

It is set to OFF by default.

Expand for screenshot

From our experience, Google SAML can take a bit to propagate.

  • You may encounter errors such as “403: Not a SaaS application” or “Could not save SafeBase as an app.”

  • We’ve found that waiting an hour or more usually auto-resolves these issues without any action on your end.

Microsoft Entra ID (Azure AD) Instructions

Before You Start:

  • Replace the {CONNECTION-ID} in each example with the value we provided.

    • e.g. - urn:auth0:safebase:company-saml

  • Please enter these values manually. We have identified a copy/paste bug in our help articles that will insert invisible Unicode characters.

  • Before accessing the Trust Center, ensure that users are properly assigned the app in Entra/Azure AD.

Identifier (Entity ID)

urn:auth0:safebase:{CONNECTION-ID}

Reply URL

https://auth.safebase.io/login/callback?connection={CONNECTION-ID}

Sign on URL

Leave this blank

Relay State

Leave this blank

Logout URL

Leave this blank

User attributes and claims

Expand for screenshot


Claim names are Case-Sensitive.

Entra AD field

App field

Claim Type

Unique User Identifier (Name ID)*

user.userprincipalname

Required

firstName

user.givenname

Additional

lastName

user.surname

Additional

email

user.mail

Additional

id

user.userprincipalname

Additional

Be sure to remove any pre-populated XMLSoap URIs from the claim Namespace - see the screenshot above for an example.

JumpCloud SAML/SSO Instructions

Before You Start:

  • Replace the {CONNECTION-ID} in each example with the value we provided.

    • e.g. - urn:auth0:safebase:company-saml

  • Please enter these values manually. We have identified a copy/paste bug in our help articles that will insert invisible Unicode characters.

Expand for screenshot

IDP Entity ID:

urn:auth0:safebase:{CONNECTION-ID}

SP Entity URL:

urn:auth0:safebase:{CONNECTION-ID}

ACS URL:

https://auth.safebase.io/login/callback?connection={CONNECTION-ID}

SAML Subject NameID Format:

urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified

Attributes

Expand for screenshot

Service Provider Attribute Name

JumpCloud Attribute Name

firstName

firstname

lastName

lastname

email

email

id

email

3. Send us your SAML Metadata URL

Once you have completed the above, respond to the ticket with a copy of your SAML app metadata URL or XML, and we can complete the setup on our side.

If you would like your requests to be signed, you can enable this option in your SAML provider and use the certificate attached at the bottom of this article.

In Okta, you can find your Metadata XML by clicking on "View Setup Instructions" or by following the steps outlined here.

Expand for screenshot

In Entra/Azure, this would be your Federation Metadata XML

Expand for screenshot

In JumpCloud, you can supply either the Metadata Export or the Metadata URL

Expand for screenshot

Inviting Users

Once SAML is configured, you will no longer be able to invite your teammates directly from within SafeBase.

​Teammates will be assigned your Default Role for New Members to start with. Please keep this as Admin until you are logged in with SAML, then feel free to change it to a more appropriate role.


With SAML enabled, internal organization members can access the Trust Center by being properly assigned the SafeBase app from within your IdP.

SafeBase will create the user's account once they log in for the first time via SSO.

Troubleshooting

When attempting to log into the portal for the first time using SAML, if you see the first and last names blank, please verify the SAML attribute mapping.

  • If the issue persists, clear cache/site data from your browser or try in an incognito/private session.

  • If things still aren't working correctly, reach out to our team. We are more than happy to hop on a call with your team to troubleshoot live.

SafeBase Certificate

If you would like your requests to be signed, you can enable this option in your SAML provider and use the certificate attached below.

Attachment icon
safebase.pem
Related Articles
Integration - HackerOne
Integration - SCIM
Growth Quick Start Guide for Sales Teams
Integration - Drata
Trust Center - Onboarding Checklist
Did this answer your question?