SAML SSO for an Organization
Last updated
Was this helpful?
Last updated
Was this helpful?
📘 Enterprise Feature This feature requires an ENTERPRISE license. If you would like to enable this feature for your Airkit Organization, please contact your Airkit representative or contact .
This document covers setting up SAML SSO for your Airkit Organization so that SAML authentication provides access to and . This means that only SAML users have the ability to log in to an Airkit organizations and you manage and control access to who has access to your Airkit organization.
For more information on setting up SAML SSO inside of your Airkit Applications, see .
SAML allows identity providers (IdPs) to store user identity data and authenticate identified users to other systems using public-key cryptography.
An Identity Provider (IdP) can be a cloud-based identity service like Okta or OneLogin, or it can be an internal enterprise resource like Azure AD. Meanwhile, a service provider (SP) is the system a user wants to access. As long as the IdP can authenticate the user, the SP will let them in.
When a builder logs into Airkit using SAML, the IdP will send a SAML assertion to their browser that is then sent to the Airkit platform, the SP. The SAML assertion is an XML file with three statement types: authentication, attribution and authorization.
📘 Airkit currently supports SP-initiated flow only. This means that builders will have to access the Airkit platform through , which then re-directs to the corresponding IdP for authentication.
In order to configure SAML access to Airkit applications, the SAML Assertion Metadata must be generated from the Identity Provider (IdP) of choice. It will be used to share configuration credentials between the IdP and the Service Provider (SP). The IdP metadata usually contains the IdP certificate, the entity ID, the redirect URL, and the logout URL.
Airkit requires the Metadata File to be formatted as an XML file with the following fields:
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" and/or <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>; email is ideal but user_lookup_attribute can be used if the user’s email is on a different field
md:EntityDescriptor tag with entityID attribute
md:IDPSSODescriptor tag
X509Certificate with cert inside
This will open the Inspector. Upload the SAML Metadata file in the space provided under Properties, and then click Create to generate a new SAML configuration out of the uploaded SAML Metadata File:
After uploading a Metadata File, you can view and configure properties associated with your SAML Authentication process.
User Lookup Attribute (editable): Specifies the attribute that defines the Builder’s email in cases when the IDP does not provide an email in the NameID attribute.
ACS (static): The ACS (Assertion Consumer Service) URL that defines the endpoint where the IdP will redirect users after they are authenticated. This is defined in the SAML Metadata File and cannot be edited in the Inspector.
Entity Id (static): The globally unique name for the SAML entity, i.e., your Identity Provider (IdP) or Service Provider (SP). This is defined in the SAML Metadata File and cannot be edited in the Inspector.
Toggle over to Settings > Organization. From the Authentication dropdown list, select the XML file that was uploaded in the previous step. Doing so will display the following credentials which should be used to finish the SAML integration on the IdP end.
The EntityID and ACS URL, in particular, must be used to whitelist Airkit in the IdP configuration. This process may vary depending on which IdP is being used.
After setting up the credentials on both ends, users may access Airkit's Studio using the given SAML Login URL.
If you need assistance with setting this up, feel free to file a support ticket with Airkit Support.
This SAML Metadata file needs to be uploaded into the in order to to define the IdP that will be receiving the SAML request. This is done under Console > Settings > Organization. In the Authentication section, click the Create new Button:
Canvas only URL ACS (editable): This field is used when configuring SAML for App authentication. For more on configuring SAML authentication for applications, see .
