SAML SSO is only available on a SafeBase paid plan (Growth or Enterprise)

To set up SAML SSO: Please message our live chat or email support@safebase.io. We need to configure a few things on our end first. We will provide you with an identifier connection_id that you will use for your connection setup.

Note: Do not toggle on the "Enforce SAML" setting in the Settings page until Step 3 has been complete and you have verified that your SAML connection is working.

Step 1: Create a SAML App

Step 2: Set Up Attribute Mapping

Okta Specific Instructions

OneLogin Specific Instructions

Google SAML Specific Instructions

Azure AD Specific Instructions

Step 3: Send us your SAML Metadata

Step 1: Create a SAML App

You will need the following information:

SSO URL:

https://auth.safebase.io/login/callback?connection=connection_id

Note: replace connection_id with the value that we will provide to you.

  • Ex. SafeBase's SSO URL looks like https://auth.safebase.io/login/callback?connection=safebase-saml

Audience URI (SP Entity ID):

urn:auth0:safebase:connection_id

  • For the example above, the Audience URI would be urn:auth0:safebase:safebase-saml

If your IdP supports direct metadata import, use this URL:

https://auth.safebase.io/samlp/metadata?connection=connection_id

  • For the example above, the direct metadata import URL would be https://auth.safebase.io/samlp/metadata?connection=safebase-saml

Step 2: Set Up Attribute Mapping

Let us know what your Identity Provider is. We'll need to figure out attribute mapping. If you're using an IdP like Okta, it can be straightforward because we know the mapping already. Let us know if you'd like IdP-initiated SSO to be enabled.

Please map the following attributes:

  • First name → firstName

  • Last name → lastName

  • Email → email

  • Identifier/Login → id

Okta Specific Instructions

In Okta, your configuration should look like this (with the {connection_id} replaced with the value we provided):

OneLogin Specific Instructions

  • ACS (Consumer) URL: The SSO URL specified above under "Step 1: Create a SAML App"

  • Relay State: https://app.safebase.io/api/auth/login?returnTo=%2Fdashboard

  • Audience: The Audience URI specific above under "Step 1: Create a SAML App"

  • Recipient: The SSO URL specified above under "Step 1: Create a SAML App"

  • ACS (Consumer) URL Validator: ^https:\\/\\/app\\.safebase\\.io

  • Login URL: https://app.safebase.io

Be sure to add custom attributes:

OneLogin field → Field that SafeBase is expecting

  • Email → email

  • First Name → firstName

  • Last Name → lastName

  • Username → id

Google SAML Specific Instructions

  • ACS URL: The SSO URL specified above under "Step 1: Create a SAML App"

  • Entity ID: The Audience URI specific above under "Step 1: Create a SAML App"

  • Start URL: Leave this blank.

Attribute Mapping (Should all be in Basic Information):

Note: From our experience Google SAML can be buggy at times. You may encounter errors such as “403: Not a SaaS application” or “Could not save SafeBase as an app.” We’ve found that waiting a few hours usually auto resolves these issues without any action on your end.

Azure AD Specific Instructions

Identifier (Entity ID): Audience URI specified above

Reply URL: The SSO URL specified above

Sign on URL: Leave blank

Relay State: Leave blank

Logout URL: Leave blank

User attributes and claims:

firstName -> user.givenname

lastName -> user.surname

email -> user.mail

id -> user.userprincipalname

Step 3: Send us your SAML Metadata

Please message our live chat or email support@safebase.io and send us a copy of your SAML metadata so we can complete the SAML setup on our end.

Note: If you use Azure AD, the certificate may not be in the metadata, so please continue below.

You can find it by clicking on "View Setup Instructions" if you are using Okta.

If you are unable to export the metadata from your idP, please provide the following:

  • idP SSO URL

  • X.509 Certificate

Did this answer your question?