SAML SSO is available on SafeBase's paid Growth or Enterprise plans
Note: New users will be assigned the Default Role you specified in the Settings page.
SCIM support is scheduled for Q3 '23 for streamlined provisioning and access control
To set up SAML SSO
Message our live chat or email our support team requesting to "Setup a SAML connection". Please include in the message which Identity Service Provider (IdP) you currently use.
We will configure a few things on our end, and provide you with an identifier
connection_id
that you will use for your connection setup.
Note: Don't enable the "Enforce SAML" setting in the Settings page until Step 3 has been completed and you have verified that your SAML connection is working.
Step 1: Create a SAML App with the following information
Note: replace connection_id with the value that we will provide to you.
SSO URL
https://auth.safebase.io/login/callback?connection=connection_id
Ex. SafeBase's SSO URL
https://auth.safebase.io/login/callback?connection=safebase-saml
Audience URI (SP Entity ID)
urn:auth0:safebase:connection_id
In the example above, the Audience URI
urn:auth0:safebase:safebase-saml
For direct metadata import (if available), use this URL
https://auth.safebase.io/samlp/metadata?connection=connection_id
In the example above, the direct metadata import URL would be
https://auth.safebase.io/samlp/metadata?connection=safebase-saml
Step 2: Set Up Attribute Mapping
Let us know who your Identity Provider is.
Note: Attribute mapping may vary slightly than the examples below depending on your IdP. Let us know if you'd like IdP-initiated SSO to be enabled.
Map the following attributes:
First name →
firstName
Last name →
lastName
Email →
email
Identifier/Login →
id
Okta Specific Instructions
Single sign on URL
https://auth.safebase.io/login/callback?connection=connection_id
Audience URI
urn:auth0:safebase:connection_id
Default RelayState
Leave this blank
Name ID Format
Unspecified
Application username
Okta username
See below for an example
OneLogin Specific Instructions
ACS (Consumer) URL
https://auth.safebase.io/login/callback?connection=connection_id
Relay State
https://app.safebase.io/api/auth/login?returnTo=%2Fdashboard
Audience
urn:auth0:safebase:connection_id
Recipient
https://auth.safebase.io/login/callback?connection=connection_id
ACS (Consumer) URL Validator
^https:\\/\\/app\\.safebase\\.io
Login URL
https://app.safebase.io
Add custom attributes
OneLogin field →
Field that SafeBase is expecting
Email →
email
First Name →
firstName
Last Name →
lastName
Username →
id
Google SAML Specific Instructions
ACS URL
https://auth.safebase.io/login/callback?connection=connection_id
Entity ID
urn:auth0:safebase:connection_id
Start URL
Leave this blank
Attribute Mapping (Should all be in Basic Information):
Note: From our experience Google SAML can be buggy at times. You may encounter errors such as “403: Not a SaaS application” or “Could not save SafeBase as an app.” We’ve found that waiting a few hours usually auto resolves these issues without any action on your end.
Azure AD Specific Instructions
Identifier (Entity ID)
urn:auth0:safebase:connection_id
Reply URL
https://auth.safebase.io/login/callback?connection=connection_id
Sign on URL
Leave this blank
Relay State
Leave this blank
Logout URL
Leave this blank
User attributes and claims:
Azure AD field →
Field that SafeBase is expecting
firstName ->
user.givenname
lastName ->
user.surname
email ->
user.mail
id ->
user.userprincipalname
Step 3: Send us your SAML Metadata
Please message our live chat or email our support team and send us a copy of your SAML metadata (usually a metadata.xml file) and we will complete the setup on our end.
Note: If you are unable to export the metadata from your idP, please provide the following:
idP SSO URL
X.509 Certificate
If you are using Okta, you can find it by clicking on "View Setup Instructions"
Step 4: Inviting Users
Once SAML is configured, you will no longer be able to invite your teammates directly from within SafeBase.
Instead, simply add them to the appropriate group that grants them access in your identity provider.
SafeBase will automatically create the account for that user once they login for the first time via their Okta tile, etc.