SAML-based single sign-on allows anyone in your organization to access ScaleFT through an existing centralized identity system.
Some identity providers have specific integrations with ScaleFT:
If your organization uses one of these providers you can get started by creating a new team and choosing your identity provider during signup.
Specific SAML configuration instructions are also available for some identity providers:
Other identity providers can be configured using a custom SAML configuration.
SAML can only be configured in ScaleFT during signup, so to get started configuring SAML create a new team and choose SAML authentication when prompted.
Once you reach the SAML configuration step in the ScaleFT signup process you’ll need to configure your identity provider. The ScaleFT SAML signup form will provide you with several of the necessary parameters:
You’ll also need to configure your identity provider to expose several SAML attributes. You can choose any name you want for these attributes, but be sure to make note of them; you’ll need to enter them into ScaleFT under Attribute Mapping.
These must be SAML attributes, ScaleFT will not interpret names such as “SAML_SUBJECT” to be anything other than an attribute name.
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent) SAML NameIDs to establish a mapping between users in your identity system and users in ScaleFT. Any value which is unique to the user and doesn’t change over time will satisfy this requirement, even if it isn’t psuedo-random like the SAML specification requires.
Once you’ve configured your identity provider, you’ll need to provide ScaleFT with several values.
Some identity providers call this the “Single Sign-On URL” or “SAML Endpoint”. This is the URL that ScaleFT will send users to when they attempt to log in. Copy the URL exactly as your identity provider supplies it into ScaleFT.
Some identity providers call this the “Issuer”. This identifies your identity provider, and is often specific to your ScaleFT configuration within the identity provider. ScaleFT will reject SAML responses whose Entity ID doesn’t match.
This is the X.509 certificate which ScaleFT should use to verify the signature on SAML responses.
In this section you will need to input the names of the attributes you configured in your identity provider. ScaleFT will use these attributes when creating new user accounts.
If your identity provider sends an attribute of the form:
<saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xsi:type="xs:anyType">firstname.lastname@example.org</saml:AttributeValue> </saml:Attribute>
Then the attribute name you enter in ScaleFT would be
Important: before clicking “Authenticate with SAML” be sure that you have permission to access the application in your identity provider or authentication will fail. In some identity providers this can take a long time to propagate or requires a manual synchronization process.