Enable SAML for SSO

saml (security assertion markup language) is an open standard that facilitates single sign on (sso) by allowing swimlane turbine (the service provider) to rely on an external identity provider (idp) to authenticate users using saml, there are two possible ways to initiate login service provider initiated the login process starts with swimlane turbine identity provider initiated the login process starts with the external identity provider (for example, okta, jumpcloud, and azure entra) benefits of saml authentication saml authentication provides numerous advantages for organizations, improving security, streamlining user access, and simplifying administration below are the key benefits centralized user management user authentication is managed through a single, external idp, reducing administrative overhead enhanced security leverages the security features of the idp, such as multi factor authentication (mfa) and conditional access policies seamless login experience users can log in to swimlane turbine using existing credentials, improving usability scalability easily accommodates user management for large organizations or multi tenant environments turbine service provider saml metadata the table below provides key metadata information that you will need when configuring swimlane turbine as a service provider with an external identity provider metadata description usage service provider (sp) entity id the unique identifier for the service provider (swimlane turbine) this value must be entered in the identity provider's configuration to recognize turbine as a valid service provider https //{swimlane hostname here}/tenant/api/saml/consume identity provider (idp) entity id this is the globally unique identifier for the idp that turbine will use to verify the identity provider during authentication it is essential to use the correct id provided by the idp as it serves as the official "name" of the idp in saml transactions example https //\<identity provider domain> tld single sign on (sso) url this url is the entry point for authentication requests from swimlane turbine to the idp it is where turbine sends authentication requests to initiate the sso process ensure that the url is accurate and corresponds to the idp's saml configuration for your organization https //identity provider domain tld/saml2/turbinecloud single logout service (sls) url url used for handling single logout requests, if supported in turbine, this is not applicable at the moment single logout is not currently supported by turbine authn requests signed option to sign authentication requests this ensures the integrity and authenticity of requests sent from turbine to the identity provider configurable in turbine saml settings signing certificate the certificate used for signing saml requests, which can be configured in turbine for additional security configurable in turbine saml settings assertions encrypted whether the saml assertions are encrypted turbine currently does not support this feature encrypted assertions are not currently supported by turbine important! a successful login with saml requires a user that matches the nameid username or email address that already exists in turbine turbine does not support just in time (jit) provisioning saml is available to users added by directory services sync as well as those added manually steps to enable saml for sso to enable saml authentication in swimlane turbine, follow these steps navigate to settings > account > sessions & security > authentication click > to expand the authentication section under the saml authentication section, toggle the enable switch to activate saml authentication click saml settings to open the saml authentication configuration dialog in the saml authentication dialog box, the identity provider (idp) entity id is automatically populated enter a unique alias for this configuration the alias can include names, numbers, and special characters, and must be between 1 and 200 characters long ensure that the email address provided in the saml response matches the email address of the user account in turbine username matching is case insensitive, but email addresses are case sensitive important! turbine requires that the nameid field in the saml response matches a user in turbine by either username or email address ensure the email address matches exactly in turbine and the saml response fill in the following required fields identity provider entity id – the unique id of the idp description this is the globally unique identifier for the idp that turbine will use to verify the identity provider during authentication it is essential to use the correct id provided by the idp as it serves as the official "name" of the idp in saml transactions example https //\<identity provider domain> tld alias – the alias for this configuration description the alias is a human readable label that links this saml configuration to a specific idp it helps direct users to the correct sso login url the alias must be unique within your turbine instance, and it will redirect users to the appropriate sso url it can include any combination of letters, numbers, and special characters usage the alias might be used in sso scenarios where multiple idps are configured, helping users differentiate between different login providers sso url – the single sign on url provided by the idp description this url is the entry point for authentication requests from swimlane turbine to the idp it is where turbine sends authentication requests to initiate the sso process ensure that the url is accurate and corresponds to the idp's saml configuration for your organization example https //identity provider domain tld/saml2/turbinecloud verify identity provider signature? specify whether to verify the identity provider signature it is strongly recommended to verify the idp signature by toggling the verify identity provider signature? option and uploading the idp’s public certificate (in pem format) note ensure that the certificate is accurate and matches the configuration in your idp incorrect or expired certificates can cause saml authentication failures the supported certificate extension types are pem or cert service provider entity id – this will be the sp entity id from turbine's metadata description this is the unique identifier for swimlane turbine as a service provider it must be provided to the idp to allow the idp to trust and authenticate requests from turbine this id is critical in establishing a secure saml connection and must be configured accurately on both the idp and turbine sides example https //{swimlane hostname here}/tenant/api/saml/consume sign authnrequest? select whether the saml authentication request should be signed by turbine by toggling the sign authnrequest? option if enabled, upload the private key and public certificate in pkcs #12 format note you can convert a pem formatted public certificate and key into pkcs #12 using the following command openssl pkcs12 export out cert pfx in pem public certificate crt inkey pem private key key do not enter a password for the pkcs #12 certificate; turbine does not support password protected certificates preserve whitespace in saml response? if your sso provider includes insignificant whitespace in the saml response signature, enable the preserve whitespace in saml response? toggle force sso to enforce the use of sso for logging in, toggle the force sso option to exempt specific users from this rule (for example, administrators), toggle the exempt force sso option under individual user settings in the groups and roles tab saml authentication page