SAML/Enterprise SSO

PropelAuth’s SAML SSO support allows your users to connect their organizations to their own identity provider (e.g. Okta, Azure AD, JumpCloud, etc).

As an example, lets say you have a customer “Acme Co”. Acme uses Okta as their identity provider, meaning that all employees at the company have an account with Okta. New employees are onboarded to Okta and exiting employees are removed.

A SAML connection between your product and Acme allows employees at Acme to sign in to your product with their existing work accounts.

SAML Login

No need to write any extra code

PropelAuth’s libraries have a concept of an organization. Users are added to these organizations via invitations or joining by their domain.

One of the best things about our SAML integration is that your code doesn’t need to change at all when you close your first enterprise customer. SAML is an implementation detail of how an organization manages their users within your product. Any code you write that deals with organizations will work, regardless of the method that organization uses to manage its members.

Enabling SAML

To enable SAML for your PropelAuth project, go to the Signup / Login page in your PropelAuth dashboard. Once you've enabled SAML on the project-level, you can choose which of your organization should have access by going to the Organizations page and select an organization, then checking the "Can this organization set up SAML?" checkbox.

Alternatively, you can enable SAML for an organization programmatically via the Enable SAML for Org API call.

SAML Org Page

You can also choose how you want to identify which org a user belongs to. When a user signs in and clicks on the Sign in with SSO button, you can either ask for their domain (which will automatically match the domain of their email address with an org domain), or for the name of their org.

You can also choose if you want to set SAML as the default login method. If enabled, PropelAuth will automatically check if an email address belongs to a SAML enabled org. If it does not, it'll fall back to password login.

SAML Settings

User Guide to SAML Setup

Once you have enabled SAML for an organization, your users can start setting up SAML with their identity provider. In the Roles and Permissions page in your PropelAuth dashboard, you can choose which roles (Owner, Admin, etc) are able to manage SAML connections.

Any user with the manage a SAML / Enterprise SSO connection for their organization permission can then start the process of connecting to their identity provider. This starts in your user's account page in their organization's settings tab.

Account Page

Alternatively, you can navigate to an organization's settings page and click on the Generate Link button. This button will generate a link to allow an employee of an organization to set up SAML. This link does not require authentication to access and is intended to be used by an employee of the org, such as a member of their IT team.

Generate Link Button

Your users then have the choice to set up SAML with the following identity providers:

  • Google
  • Okta
  • Azure
  • OneLogin
  • JumpCloud
  • Duo
  • Rippling
  • Other

PropelAuth provides your users with detailed walkthroughs for each identity provider, ensuring they have a smooth and pain-free experience!

Sample Okta Guide

After completing the connection setup, test mode automatically activates. Once your users have reviewed their configuration and mappings, they can click Finish & go live to activate the SAML connection.

SAML Finishing Setup

Mapping User Roles From the IdP

By default, users who sign up via a SAML connection will be set to your default role. However, when your users are setting up their SAML connection, they have the option to map user roles from their IdP to your project.

SAML Finishing Setup

Each IdP is a bit different so we offer guides for each provider that we support. Most of the time though, the mapping will occur either from using roles or groups. For example, if a user is an Owner for your app in Okta, they'll be mapped to the Owner role in your app.

Additionally, if a user is a member of the role_Owner group in Okta, they'll then be mapped to the Owner role in your app.

Generic SAML (Other)

Don't see your customer's SAML provider on our supported list? Your users also have the option to connect to a generic SAML provider. We guide your customers through three steps:

  1. We provide a ACS URL and SP Entity ID that can be entered into the identity provider during setup.

  2. We guide your users into mapping user attributes from the identity provider to your app.

  3. We require the user to provide the IDP SSO URL, Entity ID, and Certificate from the identity provider. Note that the names of these variables may differ across providers.

Signing in with SAML

When your users have finished the SAML setup process, PropelAuth automatically provides a login link that your users can use to log in directly to your application.

Alternatively, users can access your login page and click on Sign in with SSO to begin the SAML login flow, redirecting them to their identity provider.