Setting up your SAML SSO
Follow these steps to set up your SAML SSO
N
Written by Natalie Novick
Updated this week

SAML SSO is available on SafeBase's paid Growth or Enterprise plans

Note: New users will be assigned the Default Role you specified in the Settings page.

SCIM support is scheduled for Q3 '23 for streamlined provisioning and access control


To set up SAML SSO

  • Message our live chat or email our support team requesting to "Setup a SAML connection". Please include in the message which Identity Service Provider (IdP) you currently use.

  • We will configure a few things on our end, and provide you with an identifier connection_id that you will use for your connection setup.

Note: Don't enable the "Enforce SAML" setting in the Settings page until Step 3 has been completed and you have verified that your SAML connection is working.


Step 1: Create a SAML App with the following information

Note: replace connection_id with the value that we will provide to you.

  • SSO URL

    https://auth.safebase.io/login/callback?connection=connection_id

    • Ex. SafeBase's SSO URL

      https://auth.safebase.io/login/callback?connection=safebase-saml

  • Audience URI (SP Entity ID)
    urn:auth0:safebase:connection_id

    • In the example above, the Audience URI

      urn:auth0:safebase:safebase-saml

  • For direct metadata import (if available), use this URL

    https://auth.safebase.io/samlp/metadata?connection=connection_id

    • In the example above, the direct metadata import URL would be https://auth.safebase.io/samlp/metadata?connection=safebase-saml

Step 2: Set Up Attribute Mapping

Let us know who your Identity Provider is.

Note: Attribute mapping may vary slightly than the examples below depending on your IdP. Let us know if you'd like IdP-initiated SSO to be enabled.

Map the following attributes:

  • First name → firstName

  • Last name → lastName

  • Email → email

  • Identifier/Login → id

Okta Specific Instructions

  • Single sign on URL

    https://auth.safebase.io/login/callback?connection=connection_id

  • Audience URI

    urn:auth0:safebase:connection_id

  • Default RelayState

    Leave this blank

  • Name ID Format

    Unspecified

  • Application username

    Okta username

  • See below for an example

OneLogin Specific Instructions

  • ACS (Consumer) URL
    https://auth.safebase.io/login/callback?connection=connection_id

  • Relay State
    https://app.safebase.io/api/auth/login?returnTo=%2Fdashboard

  • Audience
    urn:auth0:safebase:connection_id

  • Recipient
    https://auth.safebase.io/login/callback?connection=connection_id

  • ACS (Consumer) URL Validator
    ^https:\\/\\/app\\.safebase\\.io

  • Login URL
    https://app.safebase.io

  • Add custom attributes

    OneLogin field → Field that SafeBase is expecting

    • Email → email

    • First Name → firstName

    • Last Name → lastName

    • Username → id

Google SAML Specific Instructions

  • ACS URL

    https://auth.safebase.io/login/callback?connection=connection_id

  • Entity ID

    urn:auth0:safebase:connection_id

  • Start URL

    Leave this blank

  • Attribute Mapping (Should all be in Basic Information):

    Note: From our experience Google SAML can be buggy at times. You may encounter errors such as “403: Not a SaaS application” or “Could not save SafeBase as an app.” We’ve found that waiting a few hours usually auto resolves these issues without any action on your end.

Azure AD Specific Instructions

  • Identifier (Entity ID)

    urn:auth0:safebase:connection_id

  • Reply URL

    https://auth.safebase.io/login/callback?connection=connection_id

  • Sign on URL

    Leave this blank

  • Relay State

    Leave this blank

  • Logout URL

    Leave this blank

  • User attributes and claims:

    Azure AD field → Field that SafeBase is expecting

    • firstName -> user.givenname

    • lastName -> user.surname

    • email -> user.mail

    • id -> user.userprincipalname

Step 3: Send us your SAML Metadata

Please message our live chat or email our support team and send us a copy of your SAML metadata (usually a metadata.xml file) and we will complete the setup on our end.

Note: If you are unable to export the metadata from your idP, please provide the following:

  • idP SSO URL

  • X.509 Certificate

  • If you are using Okta, you can find it by clicking on "View Setup Instructions"

Step 4: Inviting Users

  • Once SAML is configured, you will no longer be able to invite your teammates directly from within SafeBase.

  • Instead, simply add them to the appropriate group that grants them access in your identity provider.

  • SafeBase will automatically create the account for that user once they login for the first time via their Okta tile, etc.

Did this answer your question?