Overview
Our Single Sign-On (SSO) option is secure and and highly recommended way for organizational users to access the internal, backend of the Trust Center.
Our platform supports SAML 2.0 with Just-In-Time (JIT) provisioning. Organization Member accounts will to be automatically created upon their first successful login.
This means that once the SSO integration is active, any member assigned the Trust Center app in an organization's IdP (Okta, Entra, etc), they will have access to the Trust Center.
For Enterprise customers, once SAML/SSO is configured, our SCIM provisioning/directory sync feature will also become available.
To configure SSO for the Trust Center, review this article and submit a ticket
While SSO manages provisioning for internal organization members, access to Trust Center content for external visitors remains unaffected and leverages the access request and magic-link flows. See this help article for more information on the difference between managing Organization Members and Account Members.
Setup
Connection ID
As a user with Admin privileges, navigate to the Trust Center > Settings > Security and view the automatically generated Connection ID
This article explains in detail how to configure an Identity Provider (IdP) for use with the Trust Center. Please find the appropriate section below and configure accordingly.
Once this is complete, submit a ticket.
Submitting a Ticket
After IdP configuration is complete, the majority of this process is complete.
Click the Trust Center support chat and submit a ticket
Select the option for New SSO Configuration
Follow the prompts to provide your Identity Service Provider (IdP)
Send the support team the IdP metadata URL or metadata.xml file
The support team will guide users through the rest of the process.
Note: Don't enable the Enforce SAML option until the setup has been completed and successfully tested!
Configure Identity Provider (IdP)
Step will differ depending on the Identity Provider
Okta
Before Starting:
Replace the
{CONNECTION-ID}in each example with the Trust Center provided value.e.g. -
urn:auth0:safebase:company-saml
Please enter these values manually. We have identified a copy/paste bug in our help articles that will insert invisible Unicode characters.
Before accessing the Trust Center, ensure that users are properly assigned the app in Okta.
SSO URL:
https://auth.safebase.io/login/callback?connection={CONNECTION-ID}Audience URI:
urn:auth0:safebase:{CONNECTION-ID}Default RelayState:
Leave this blank
Name ID Format:
Unspecified
Application username:
Okta username
Attribute Statements:
Name | Name format | value |
firstName | Unspecified |
|
lastName | Unspecified |
|
Unspecified |
| |
id | Unspecified |
|
Expand below for a screenshot example
Expand below for a screenshot example
OneLogin
Before Starting:
Replace the
{CONNECTION-ID}in each example with the Trust Center provided value.e.g. -
urn:auth0:safebase:company-saml
Please enter these values manually. We have identified a copy/paste bug in our help articles that will insert invisible Unicode characters.
Before accessing the Trust Center, ensure that users are properly assigned the app in OneLogin.
ACS (Consumer) URL:
https://auth.safebase.io/login/callback?connection={CONNECTION-ID}Relay State:
https://app.safebase.io/api/auth/login?returnTo=%2Fdashboard
Audience:
urn:auth0:safebase:{CONNECTION-ID}Recipient:
https://auth.safebase.io/login/callback?connection={CONNECTION-ID}ACS (Consumer) URL Validator:
^https:\\/\\/app\\.safebase\\.io
Login URL:
https://app.safebase.io
Custom attributes:
Attribute | Maps to |
First name |
|
Last name |
|
| |
Username |
|
Google SSO
Before Starting:
Replace the
{CONNECTION-ID}in each example with the Trust Center provided value..e.g. -
urn:auth0:safebase:company-saml
Please enter these values manually. We have identified a copy/paste bug in our help articles that will insert invisible Unicode characters.
Before accessing the Trust Center, ensure that users are properly assigned the app in Google Workspace.
ACS URL
https://auth.safebase.io/login/callback?connection={CONNECTION-ID}Entity ID
urn:auth0:safebase:{CONNECTION-ID}Start URL
Leave this blank
Attribute Mapping (Basic Information):
Google Directory Attributes | App attributes |
First name |
|
Last name |
|
Primary email |
|
Primary email |
|
Expand for screenshot
Expand for screenshot
If receiving an Error: app_not_enabled_for_user, please ensure that enable user access is set to OFF by default.
Expand for screenshot
Expand for screenshot
Google SAML can take a bit to propagate.
Users may encounter errors such as “403: Not a SaaS application” or “Could not save SafeBase as an app.”
We’ve found that waiting an hour or more usually auto-resolves these issues without any additional action
Microsoft Entra ID (Azure AD)
Before You Start:
Replace the
{CONNECTION-ID}in each example with the Trust Center provided value.e.g. -
urn:auth0:safebase:company-saml
Please enter these values manually. We have identified a copy/paste bug in our help articles that will insert invisible Unicode characters.
Before accessing the Trust Center, ensure that users are properly assigned the app in Entra ID/Azure AD.
Identifier (Entity ID)
urn:auth0:safebase:{CONNECTION-ID}Reply URL
https://auth.safebase.io/login/callback?connection={CONNECTION-ID}Sign on URL
Leave this blank
Relay State
Leave this blank
Logout URL
Leave this blank
User attributes and claims
Expand for screenshot
Expand for screenshot
Claim names are Case-Sensitive.
Entra ID field | App field | Claim Type |
Unique User Identifier (Name ID)* |
| Required |
firstName |
| Additional |
lastName |
| Additional |
| Additional | |
id |
| Additional |
Be sure to remove any pre-populated XMLSoap URIs from the claim Namespace - see the screenshot above for an example.
JumpCloud
Before You Start:
Replace the
{CONNECTION-ID}in each example with the Trust Center provided value.e.g. -
urn:auth0:safebase:company-saml
Please enter these values manually. We have identified a copy/paste bug in our help articles that will insert invisible Unicode characters.
Expand for screenshot
Expand for screenshot
IDP Entity ID:
urn:auth0:safebase:{CONNECTION-ID}SP Entity ID:
urn:auth0:safebase:{CONNECTION-ID}ACS URL:
https://auth.safebase.io/login/callback?connection={CONNECTION-ID}SAML Subject NameID Format:
urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified
Attributes
Expand for screenshot
Expand for screenshot
Service Provider Attribute Name | JumpCloud Attribute Name |
|
|
|
|
|
|
|
|
Send support the Metadata URL or metadata.xml
Within the the ticket, include copy of your IdP app metadata URL or .xml file
In Okta, find the IdP Metadata by clicking on "View Setup Instructions" or by following the steps outlined here.
Expand for screenshot
Expand for screenshot
In Entra/Azure, this would be the Federation Metadata XML
Expand for screenshot
Expand for screenshot
For JumpCloud, supply either the Metadata Export or the Metadata URL
Expand for screenshot
Expand for screenshot
Inviting Users
Once SAML is configured, admins will no longer be able to invite teammates directly from within SafeBase.
Teammates will be assigned a Default Role for New Members to start with.
Please keep this as Admin until logged in with SAML, then feel free to change it to a more appropriate role.
Troubleshooting
When attempting to log into the Trust Center for the first time using SSO, if the first and last names are blank, please verify the SAML attribute mapping.
Once a first and last name attribute are applied to the user, log out of SafeBase and log back in.
If the issue persists, clear cache/site data from the browser or try in an incognito/private session.
If things still aren't working correctly, reach out to the Support Team
SafeBase Certificate
If it is a requirement for requests to be signed, users can enable this option in the IdP and use the certificate attached below.