Set up enterprise-grade SAML Single Sign-On (SSO) for secure authentication in Openlayer with step-by-step instructions for Okta, Azure AD, and Google Workspace
SAML (Security Assertion Markup Language) Single Sign-On (SSO) allows your organization to authenticate users through your identity provider (IdP), providing enhanced security and a streamlined login experience. Openlayer supports SAML SSO with all major identity providers, including Okta, Azure AD, Google Workspace, OneLogin, and more.
With SAML SSO, you can:
Access Workspace Settings
Access Security and Privacy Settings
Configure SAML SSO
Set Up Your Identity Provider
During the configuration process, you’ll need to provide the following information to your IdP:
https://api.openlayer.com/auth/saml/callback
https://api.openlayer.com/auth/saml
https://app.openlayer.com/login
You’ll also need to configure the following SAML attributes in your IdP:
Attribute Name | Description |
---|---|
email | User’s email address (required) |
firstName | User’s first name (optional) |
lastName | User’s last name (optional) |
groups | User’s group memberships for role mapping (optional) |
Complete the Configuration
Choose your identity provider below for specific configuration instructions:
Create a SAML Application
Configure Basic Settings
Configure SAML Settings
In the SAML Settings section, enter:
https://api.openlayer.com/auth/saml/callback
https://api.openlayer.com/auth/saml
Configure Attribute Statements
In the Attribute Statements section, add:
email
= user.email
firstName
= user.firstName
lastName
= user.lastName
In the Group Attribute Statements section, add:
groups
= Matches regex .*
(to include all groups)Finish Setup
Create a SAML Application
Configure Basic Settings
Configure SAML Settings
In the SAML Settings section, enter:
https://api.openlayer.com/auth/saml/callback
https://api.openlayer.com/auth/saml
Configure Attribute Statements
In the Attribute Statements section, add:
email
= user.email
firstName
= user.firstName
lastName
= user.lastName
In the Group Attribute Statements section, add:
groups
= Matches regex .*
(to include all groups)Finish Setup
Create a New Application
Configure SAML
https://api.openlayer.com/auth/saml
https://api.openlayer.com/auth/saml/callback
https://app.openlayer.com/login
Configure User Attributes
In the User Attributes & Claims section, ensure:
user.mail
or user.userprincipalname
email
= user.mail
firstName
= user.givenname
lastName
= user.surname
groups
= user.groups
Download Metadata
Download the Federation Metadata XML file to upload to Openlayer
Assign Users
Complete the setup and assign users and groups to the application
Create a SAML App
Configure App Details
Configure Service Provider Details
In the Service Provider Details section, enter:
https://api.openlayer.com/auth/saml/callback
https://api.openlayer.com/auth/saml
https://app.openlayer.com/login
Configure Attribute Mapping
In the Attribute Mapping section, add:
email
= Primary Email
firstName
= First Name
lastName
= Last Name
groups
= Groups
Finish Setup
Openlayer supports automatic role assignment based on IdP group membership. This allows you to manage user permissions directly through your identity provider.
By default, Openlayer maps IdP groups to roles as follows:
openlayer-role-admin
will be assigned admin rolesopenlayer-role-member
will be assigned member rolesopenlayer-role-viewer
will be assigned viewer roles (read-only access)For role mapping to work correctly, your IdP must include group information in the SAML assertion. The exact configuration depends on your IdP:
groups
.*
to include all groups)openlayer-role-admin
, openlayer-role-member
, and openlayer-role-viewer
groups
.*
to include all groups)openlayer-role-admin
, openlayer-role-member
, and openlayer-role-viewer
groups
openlayer-role-admin
, openlayer-role-member
, and openlayer-role-viewer
groups
Groups
openlayer-role-admin
, openlayer-role-member
, and openlayer-role-viewer
Full directory sync configuration through the UI is currently in development. For advanced directory sync options, please contact support.
Bot users (service accounts) can be authenticated using SAML SSO, allowing for automated processes and integrations while maintaining your security policies.
Create a Service Account
bot-name@yourdomain.com
or service-integration@yourdomain.com
Assign Appropriate Groups
openlayer-role-admin
group - For member
access: add to the openlayer-role-member
groupConfigure Authentication Method
Bot users can authenticate to Openlayer using API Key Authentication:
Log in as the bot user
Log in to Openlayer as the bot user through your IdP
Create an API key
Navigate to Settings > Personal API Keys and create a new API key
Use the API key
Use this API key for programmatic access to Openlayer
API Key Authentication is currently the only supported method for bot user authentication in Openlayer. This provides a secure way to authenticate programmatic access while maintaining your security policies.
Bot
User
(or a descriptive name)bot-user@yourdomain.com
openlayer-role-admin
)Bot
User
(or a descriptive name)bot-user@yourdomain.com
openlayer-role-admin
)bot-user@yourdomain.com
Bot User
(or a descriptive name)openlayer-role-admin
)Bot
User
(or a descriptive name)bot-user@yourdomain.com
openlayer-role-admin
)For enhanced security, you can configure your workspace to only allow SAML authentication:
Access Security Settings
Navigate to Workspace Settings > Security and Privacy
Enable SAML-Only Access
Enable the “SAML-Only Access” option
Confirm the Change
Review the implications and confirm the change
When SAML-only access is enabled:
Enabling SAML-only access will prevent users from logging in with email/password credentials. Ensure all users have access through your IdP before enabling this option.
Users Cannot Log In
If users successfully authenticate with your IdP but receive an error in Openlayer, check the following:
Incorrect Role Assignment
If users log in but have incorrect permissions, verify these items: - Check
the IdP group membership and naming conventions - Verify that group names
exactly match the expected format (openlayer-role-admin
, etc.) - Ensure the
groups attribute is properly configured in your IdP’s SAML settings
Bot User Authentication Failures
If a bot user cannot authenticate programmatically, check these common causes:
SAML Configuration Errors
If you encounter errors during the SAML configuration process, verify these items:
For more advanced troubleshooting, you can:
Which identity providers are supported?
Openlayer supports all major SAML 2.0 compatible identity providers, including but not limited to:
Can I use SAML SSO with the free plan?
SAML SSO is available on paid plans only. Please contact our sales team for more information about pricing and plan options.
How do I migrate existing users to SAML SSO?
Existing users can continue to use their current login method until you enable SAML-only access. We recommend the following migration process: 1. Set up SAML SSO for your workspace. 2. Ensure all users are properly configured in your IdP. 3. Have users test logging in with SAML before enforcing SAML-only access. 4. Once confirmed working for all users, enable SAML-only access.
Can I use multiple identity providers?
Currently, Openlayer supports one identity provider per workspace. If you need to support multiple IdPs, please contact our support team to discuss your requirements.
Does SAML SSO support multi-factor authentication (MFA)?
Yes, Openlayer respects the authentication policies configured in your identity provider, including MFA. Configure MFA in your IdP, and it will be enforced during the SAML authentication process.
What happens if my IdP is temporarily unavailable?
If you encounter any issues with SAML SSO configuration or bot user authentication, please contact our support team at support@openlayer.com.
Set up enterprise-grade SAML Single Sign-On (SSO) for secure authentication in Openlayer with step-by-step instructions for Okta, Azure AD, and Google Workspace
SAML (Security Assertion Markup Language) Single Sign-On (SSO) allows your organization to authenticate users through your identity provider (IdP), providing enhanced security and a streamlined login experience. Openlayer supports SAML SSO with all major identity providers, including Okta, Azure AD, Google Workspace, OneLogin, and more.
With SAML SSO, you can:
Access Workspace Settings
Access Security and Privacy Settings
Configure SAML SSO
Set Up Your Identity Provider
During the configuration process, you’ll need to provide the following information to your IdP:
https://api.openlayer.com/auth/saml/callback
https://api.openlayer.com/auth/saml
https://app.openlayer.com/login
You’ll also need to configure the following SAML attributes in your IdP:
Attribute Name | Description |
---|---|
email | User’s email address (required) |
firstName | User’s first name (optional) |
lastName | User’s last name (optional) |
groups | User’s group memberships for role mapping (optional) |
Complete the Configuration
Choose your identity provider below for specific configuration instructions:
Create a SAML Application
Configure Basic Settings
Configure SAML Settings
In the SAML Settings section, enter:
https://api.openlayer.com/auth/saml/callback
https://api.openlayer.com/auth/saml
Configure Attribute Statements
In the Attribute Statements section, add:
email
= user.email
firstName
= user.firstName
lastName
= user.lastName
In the Group Attribute Statements section, add:
groups
= Matches regex .*
(to include all groups)Finish Setup
Create a SAML Application
Configure Basic Settings
Configure SAML Settings
In the SAML Settings section, enter:
https://api.openlayer.com/auth/saml/callback
https://api.openlayer.com/auth/saml
Configure Attribute Statements
In the Attribute Statements section, add:
email
= user.email
firstName
= user.firstName
lastName
= user.lastName
In the Group Attribute Statements section, add:
groups
= Matches regex .*
(to include all groups)Finish Setup
Create a New Application
Configure SAML
https://api.openlayer.com/auth/saml
https://api.openlayer.com/auth/saml/callback
https://app.openlayer.com/login
Configure User Attributes
In the User Attributes & Claims section, ensure:
user.mail
or user.userprincipalname
email
= user.mail
firstName
= user.givenname
lastName
= user.surname
groups
= user.groups
Download Metadata
Download the Federation Metadata XML file to upload to Openlayer
Assign Users
Complete the setup and assign users and groups to the application
Create a SAML App
Configure App Details
Configure Service Provider Details
In the Service Provider Details section, enter:
https://api.openlayer.com/auth/saml/callback
https://api.openlayer.com/auth/saml
https://app.openlayer.com/login
Configure Attribute Mapping
In the Attribute Mapping section, add:
email
= Primary Email
firstName
= First Name
lastName
= Last Name
groups
= Groups
Finish Setup
Openlayer supports automatic role assignment based on IdP group membership. This allows you to manage user permissions directly through your identity provider.
By default, Openlayer maps IdP groups to roles as follows:
openlayer-role-admin
will be assigned admin rolesopenlayer-role-member
will be assigned member rolesopenlayer-role-viewer
will be assigned viewer roles (read-only access)For role mapping to work correctly, your IdP must include group information in the SAML assertion. The exact configuration depends on your IdP:
groups
.*
to include all groups)openlayer-role-admin
, openlayer-role-member
, and openlayer-role-viewer
groups
.*
to include all groups)openlayer-role-admin
, openlayer-role-member
, and openlayer-role-viewer
groups
openlayer-role-admin
, openlayer-role-member
, and openlayer-role-viewer
groups
Groups
openlayer-role-admin
, openlayer-role-member
, and openlayer-role-viewer
Full directory sync configuration through the UI is currently in development. For advanced directory sync options, please contact support.
Bot users (service accounts) can be authenticated using SAML SSO, allowing for automated processes and integrations while maintaining your security policies.
Create a Service Account
bot-name@yourdomain.com
or service-integration@yourdomain.com
Assign Appropriate Groups
openlayer-role-admin
group - For member
access: add to the openlayer-role-member
groupConfigure Authentication Method
Bot users can authenticate to Openlayer using API Key Authentication:
Log in as the bot user
Log in to Openlayer as the bot user through your IdP
Create an API key
Navigate to Settings > Personal API Keys and create a new API key
Use the API key
Use this API key for programmatic access to Openlayer
API Key Authentication is currently the only supported method for bot user authentication in Openlayer. This provides a secure way to authenticate programmatic access while maintaining your security policies.
Bot
User
(or a descriptive name)bot-user@yourdomain.com
openlayer-role-admin
)Bot
User
(or a descriptive name)bot-user@yourdomain.com
openlayer-role-admin
)bot-user@yourdomain.com
Bot User
(or a descriptive name)openlayer-role-admin
)Bot
User
(or a descriptive name)bot-user@yourdomain.com
openlayer-role-admin
)For enhanced security, you can configure your workspace to only allow SAML authentication:
Access Security Settings
Navigate to Workspace Settings > Security and Privacy
Enable SAML-Only Access
Enable the “SAML-Only Access” option
Confirm the Change
Review the implications and confirm the change
When SAML-only access is enabled:
Enabling SAML-only access will prevent users from logging in with email/password credentials. Ensure all users have access through your IdP before enabling this option.
Users Cannot Log In
If users successfully authenticate with your IdP but receive an error in Openlayer, check the following:
Incorrect Role Assignment
If users log in but have incorrect permissions, verify these items: - Check
the IdP group membership and naming conventions - Verify that group names
exactly match the expected format (openlayer-role-admin
, etc.) - Ensure the
groups attribute is properly configured in your IdP’s SAML settings
Bot User Authentication Failures
If a bot user cannot authenticate programmatically, check these common causes:
SAML Configuration Errors
If you encounter errors during the SAML configuration process, verify these items:
For more advanced troubleshooting, you can:
Which identity providers are supported?
Openlayer supports all major SAML 2.0 compatible identity providers, including but not limited to:
Can I use SAML SSO with the free plan?
SAML SSO is available on paid plans only. Please contact our sales team for more information about pricing and plan options.
How do I migrate existing users to SAML SSO?
Existing users can continue to use their current login method until you enable SAML-only access. We recommend the following migration process: 1. Set up SAML SSO for your workspace. 2. Ensure all users are properly configured in your IdP. 3. Have users test logging in with SAML before enforcing SAML-only access. 4. Once confirmed working for all users, enable SAML-only access.
Can I use multiple identity providers?
Currently, Openlayer supports one identity provider per workspace. If you need to support multiple IdPs, please contact our support team to discuss your requirements.
Does SAML SSO support multi-factor authentication (MFA)?
Yes, Openlayer respects the authentication policies configured in your identity provider, including MFA. Configure MFA in your IdP, and it will be enforced during the SAML authentication process.
What happens if my IdP is temporarily unavailable?
If you encounter any issues with SAML SSO configuration or bot user authentication, please contact our support team at support@openlayer.com.