SAML SSO is only available on a SafeBase paid plan (Growth or Enterprise)
To set up SAML SSO: Please message our live chat or email support@safebase.io. We need to configure a few things on our end first. We will provide you with an identifier connection_id that you will use for your connection setup.
Note: Do not toggle on the "Enforce SAML" setting in the Settings page until Step 3 has been complete and you have verified that your SAML connection is working.
Step 2: Set Up Attribute Mapping
OneLogin Specific Instructions
Google SAML Specific Instructions
Azure AD Specific Instructions
Step 3: Send us your SAML Metadata
Step 1: Create a SAML App
You will need the following information:
SSO URL:
https://auth.safebase.io/login/callback?connection=connection_id
Note: replace connection_id with the value that we will provide to you.
Ex. SafeBase's SSO URL looks like
https://auth.safebase.io/login/callback?connection=safebase-saml
Audience URI (SP Entity ID):
urn:auth0:safebase:connection_id
For the example above, the Audience URI would be
urn:auth0:safebase:safebase-saml
If your IdP supports direct metadata import, use this URL:
https://auth.safebase.io/samlp/metadata?connection=connection_id
For the example above, the direct metadata import URL would be
https://auth.safebase.io/samlp/metadata?connection=safebase-saml
Step 2: Set Up Attribute Mapping
Let us know what your Identity Provider is. We'll need to figure out attribute mapping. If you're using an IdP like Okta, it can be straightforward because we know the mapping already. Let us know if you'd like IdP-initiated SSO to be enabled.
Please map the following attributes:
First name →
firstNameLast name →
lastNameEmail →
emailIdentifier/Login →
id
Okta Specific Instructions
In Okta, your configuration should look like this (with the {connection_id} replaced with the value we provided):
OneLogin Specific Instructions
ACS (Consumer) URL: The SSO URL specified above under "Step 1: Create a SAML App"
Relay State:
https://app.safebase.io/api/auth/login?returnTo=%2FdashboardAudience: The Audience URI specific above under "Step 1: Create a SAML App"
Recipient: The SSO URL specified above under "Step 1: Create a SAML App"
ACS (Consumer) URL Validator:
^https:\\/\\/app\\.safebase\\.ioLogin URL:
https://app.safebase.io
Be sure to add custom attributes:
OneLogin field → Field that SafeBase is expecting
Email →
emailFirst Name →
firstNameLast Name →
lastNameUsername →
id
Google SAML Specific Instructions
ACS URL: The SSO URL specified above under "Step 1: Create a SAML App"
Entity ID: The Audience URI specific above under "Step 1: Create a SAML App"
Start URL: Leave this blank.
Attribute Mapping (Should all be in Basic Information):
Note: From our experience Google SAML can be buggy at times. You may encounter errors such as “403: Not a SaaS application” or “Could not save SafeBase as an app.” We’ve found that waiting a few hours usually auto resolves these issues without any action on your end.
Azure AD Specific Instructions
Identifier (Entity ID): Audience URI specified above
Reply URL: The SSO URL specified above
Sign on URL: Leave blank
Relay State: Leave blank
Logout URL: Leave blank
User attributes and claims:
firstName -> user.givenname
lastName -> user.surname
email -> user.mail
id -> user.userprincipalname
Step 3: Send us your SAML Metadata
Please message our live chat or email support@safebase.io and send us a copy of your SAML metadata so we can complete the SAML setup on our end.
Note: If you use Azure AD, the certificate may not be in the metadata, so please continue below.
You can find it by clicking on "View Setup Instructions" if you are using Okta.
If you are unable to export the metadata from your idP, please provide the following:
idP SSO URL
X.509 Certificate