SAML 2.0 Auth Module
SAML 2.0 authentication module lets you configure Space as a SAML Service Provider (SAML SP). SAML supports single sign-on (SSO) across multiple domains.
When you configure and enable a SAML 2.0 authentication module in Space:
Space users will be able to log in to Space with the credentials that are managed in a specified third-party identity provider (SAML IdP).
Space users will have fewer accounts and passwords to remember.
New users with accounts in the connected service will be able create their own accounts in Space.
Single sign-on initiation
The SAML 2.0 authentication module supports both service-provider (SP) and identity-provider (IdP) initiation for single sign-on (SSO). The login request is based on where the user signs in to Space from.
If the user signs in through an external login portal or access management provider (for example, OneLogin), the request is initiated by the IdP.
If the user signs in by clicking the button for the IdP in the Space login page, the request is initiated by Space as SP.
To support this behavior, the RelayState
parameter for your SAML IdP must be empty. If you set a value for this parameter in the configuration for your IdP, the redirection to Space results in a Can't restore state
error.
Enable SAML 2.0 authentication
To enable SAML 2.0 authentication, configuration is required on both sides: the identity-provider (IdP) and Space. The actual setup procedure depends on the the identity-provider (IdP) you're going to use, but usually involves the following general steps:
In Space, start creating a new SAML 2.0 auth module. The New Auth Module form provides you with necessary parameters to configure your identity-provider (IdP).
On the identity-provider (IdP) side, set up a SAML identity service (application) using the information from the SAML 2.0 auth module form in Space, such as
SP entity ID
andACS URL
.On both sides, configure the SAML attributes for user accounts.
In Space, specify the required parameters generated by the identity-provider (IdP), such as
SAML SSO URL
,IdP entity ID
,IdP certificate fingerprint
.If the IdP service does not provide a fingerprint of their certificate, create it applying SHA256. For example, you can use SAML Tool to create one.
In Space, activate the SAML 2.0 authentication module.
Example: Configure Okta as SAML Identity Provider in Space
There are many SAML-based Single Sign-On services you can use. In this example we'll configure Okta to work with Space as a SAML IdP. This instruction assumes that you have an account with Okta.
Get parameters from your Space SAML 2.0 auth module
On the main menu, click Administration and choose Auth Modules.
Click New auth module. The New Auth Module dialog opens.
From the Type drop-down list, select SAML 2.0.
Collect values from the following filds on the form:
SP entity ID
ACS URL
Set up a new SAML IdP application in Okta
In a new browser tab or window, sign in to your Okta organization as an administrator.
Create a new SAML application for Space service. Follow the Okta instructions to create it.
Provide the values that you have gathered from your Space SAML 2.0 auth module:
Paste
SP entity ID
into theAudience URI
field.Paste
ACS URL
into theSingle sign on URL
field.
Specify the following values for the fields:
Field
Value
Default RelayState
leave blank
Name ID format
Email Address
Application username
Email
Set SAML attributes
In Space, scroll down the SAML 2.0 auth module form to the Attributes section.
In Okta, locate the Attribute Statements section and add attributes. Specify the names to match the corresponding field names in Space and provide the following values:
Click Finish when done to create your SAML application in Okta.
Provide Okta-generated parameters to Space and enable the module
In Okta, go to the Sign On tab and click the View Setup Instructions button:
A page with the parameters of your Okta IdP will open.
Copy the values and paste them into the corresponding fields of the SAML 2.0 auth module form in Space:
Okta Field Name
Space Field Name
Identity Provider Single Sign-On URL
SAML SSO URL
Identity Provider Issuer
IdP entity ID
X.509 Certificate
IdP certificate fingerprint
To generate the fingerprint, copy the certificate from Okta, then in Space, click Upload X.509 certificate… and paste it into the pop-up window.
Switch the SAML 2.0 auth module status to Active:
Click Create to save your settings and enable the module.