Enable SAML for SSO

swimlane turbine supports saml 2 0 single sign on (sso) turbine acts as the service provider (sp) and delegates authentication to your external identity provider (idp), such as okta, azure entra, or jumpcloud login can start from turbine ( service provider–initiated ) or from your idp ( identity provider–initiated ) choose your path goal go to configure saml in turbine configure saml authentication /#configure saml authentication values to enter in your idp service provider metadata for your idp /#service provider metadata for your idp test the login flow test sso login /#test sso login require sso for all users force sso /#force sso provision users automatically provisioning with scim integration docid\ ucyk5mly9erosd2 nvjpu (saml does not create users) prerequisites account admin access to account settings a turbine user account that already exists for each person who will use sso turbine does not support just in time (jit) user creation through saml use provisioning with scim integration docid\ ucyk5mly9erosd2 nvjpu , directory services, or manual user creation to add users first your idp must send the user's email address as the saml name id the name id format in turbine is email address turbine matches the name id to the user's email field only; username based name ids are not supported the email in the saml response must match an existing turbine user matching is case insensitive if your account uses a custom domain , use that hostname in the service provider entity id when you configure your idp service provider metadata for your idp provide these values to your idp when you register swimlane turbine as a saml application metadata description value service provider entity id unique identifier for turbine as the sp https //{your swimlane hostname}/tenant/api/saml/consume assertion consumer service (acs) url url where the idp posts the saml response same as the service provider entity id name id format format turbine expects in the saml assertion email address single sign on url idp endpoint turbine calls to start login copy from your idp identity provider entity id unique identifier for your idp copy from your idp metadata authnrequest signing whether turbine signs authentication requests optional — sign authnrequest? in the saml authentication dialog idp signature verification whether turbine verifies the idp signature recommended — verify identity provider signature? in the saml authentication dialog single logout (slo) federated logout url not supported by turbine encrypted assertions whether assertions are encrypted not supported by turbine important turbine does not create users during saml login the name id email must match an existing user in your account before sso will succeed configure saml authentication navigate to settings > account > account settings open the sessions & security tab expand the authentication section under saml authentication , turn enable on click saml settings to open the saml authentication dialog complete the fields below, then click apply click save on the account settings page to persist your changes identity provider settings field description name id format read only turbine expects email address configure the same format in your idp identity provider entity id globally unique idp identifier from your idp metadata required alias short identifier used at login for alias based sso required, 1–200 characters, unique in your account cannot contain html related characters < , > , " , ' , & , ( , ) , { , } , ; sso url idp single sign on url required verify identity provider signature? turn on and provide the idp public certificate (pem) you can paste the certificate or use upload certificate supported file extensions txt , cert , crt , pem service provider settings field description service provider entity id enter https //{your swimlane hostname}/tenant/api/saml/consume use the same value in your idp application configuration required general settings setting description sign authnrequest? when enabled, upload an authnrequest signing certificate in pkcs #12 format ( pfx or p12 ) do not use a password protected file to convert pem key and certificate openssl pkcs12 export out cert pfx in cert pem inkey key pem preserve whitespace in saml response? enable only if your idp includes insignificant whitespace that breaks signature validation force sso when enabled, users must authenticate through sso see force sso /#force sso for exemptions saml authentication dialog test sso login service provider–initiated login go to the turbine login page click login via sso enter your alias or email address input behavior email address turbine looks up your account and starts saml authentication alias turbine routes login using the alias configured in saml settings some accounts show alias only (alias only login mode) complete authentication at your idp turbine validates the response and signs you in identity provider–initiated login open the turbine application from your idp portal (for example, an okta app tile) the idp sends a saml response to turbine turbine validates the response and matches the name id email to an existing user force sso you can enable force sso in the saml authentication dialog under general settings when force sso is on, users must sign in through sso instead of a turbine password to allow specific users to sign in with a password while force sso is enabled open the user under settings > users on the general or groups & roles tab, turn on exempt force sso save the user limitations topic supported? notes just in time user provisioning no create users with scim, directory services, or manually before sso username as name id no use email address name id format in your idp multiple idp configurations per account no one saml configuration per account in this release single logout (slo) no — encrypted saml assertions no — role assignment via saml no assign roles and groups in turbine after the user exists next steps provision and deprovision users automatically provisioning with scim integration docid\ ucyk5mly9erosd2 nvjpu configure session timeout and password policies sessions and security docid 9r 4c5noilguupeph0pd4 understand login options turbine login and authentication methods docid\ mhla1 pgcebnhsfrjwdzb