SAML
Integrated authentication with your preferred Identity Provider.
Last updated
Integrated authentication with your preferred Identity Provider.
Last updated
Datasaur supports SAML as an authentication method. As you may already know, it requires an Identity Provider to function properly. This integration is managed under "Settings," which means the scope of SAML authentication is tightly coupled with each Workspace.
IdP = Identity Provider, e.g. Okta, Microsoft Entra ID, etc.
SP = Service Provider. In this case, it's Datasaur.
Users who have been invited to a Workspace with SAML integration can automatically sign in using SAML. In cases where a user has multiple Workspaces, each with its own SAML integration, Datasaur allows users to sign in using different IdPs. That is why Datasaur needs Company ID attribute to correctly select the appropriate IdP for the authentication process when using SAML.
To integrate your specific IdP with Datasaur, you can initiate the process by enabling it through SAML page on Settings, just like mentioned above. Here is the overview process:
Open the Datasaur app and select a Workspace. Then, navigate to Settings > SAML and click the enable SAML button. Ensure you do not close this form until the process is completed.
In your preferred IdP console, connect it to Datasaur. Detailed guides for specific IdPs can be found in the . Use both the "SP Sign-in URL" and "SP Issuer" values on the form to successfully integrate the IdP with Datasaur.
After the integration is complete on the IdP app, fill in these three fields by referencing the values directly from the IdP to complete the form in Datasaur:
IdP Sign-in URL
IdP Issuer
Public certificate
Continue with the additional configuration that may need to be done that highly depends on each IdP.
SP Sign-in URL: This is the Datasaur endpoint where SAML responses are posted. You will need to provide this link to your IdP during the integration process.
SP Issuer: The default value is datasaur, but you can customize it to your preferences. This value must match the one you set on the IdP.
Company ID: A unique value to help Datasaur distinguish between multiple IdPs. This attribute will be asked when signing in using SAML so that Datasaur can connect to the appropriate IdP.
IdP Sign-in URL: This URL will be requested by Datasaur to perform SAML authentication.
IdP Issuer: This value will be used to determine which IdP Datasaur should look into when receiving the SAML response.
Public Certificate: Datasaur will use this certificate to validate the signature of SAML responses when they arrive.
Click the SAML button on the authentication page.
Ensure the Company ID is accurately entered. If you are unsure about the Company ID, please consult your Admin. This ID should already be configured during the SAML integration setup.
Proceed with the authentication process on your IdP.
If you have never signed in using your IdP account before, registration is required. This process is also conducted through SAML by clicking the corresponding button, as described above. Upon successful registration, the new user will be automatically added to the Workspace equipped with SAML integration.
To enable this functionality, your IdP should send the roles attribute, containing an array of items formatted as <yourCompanyId>_<UPPER CASED-ROLE>. Let's say company-a is the company ID for Workspace A and company-b is the company ID for Workspace B. If a user needs to be assigned to both Workspaces (Workspace A as an Admin and Workspace B as a Reviewer), set the roles attribute like the example below:
The additional process of handling custom attributes only occurs if roles attribute is defined.
If there is no match (the input company ID is not found in any of the roles), the authentication process will fail.
If a specific user has been invited to a Workspace but the custom attribute is missing, the user won't be able to authenticate but will still exist in the Workspace.
If there at least one match (the input company ID is found in one of the roles), authentication will succeed, and the following side effects will occur:
Auto register if the user doesn't exist.
Auto invite (accepted, not just an email invitation) if the user hasn't been invited to the Workspace.
Auto sync the role if the current Workspace role differs from the role specified in the custom attribute.
Datasaur supports role assignment through custom SAML attributes provided in the SAML response. This feature is optional but useful for managing multiple Workspaces with a single Identity Provider app without using SCIM. There are : Admin, Supervisor, Reviewer, and Labeler.