Custom SAML Authentication

SAML-based single sign-on allows anyone in your organization to access ScaleFT through an existing centralized identity system.

Some identity providers have specific integrations with ScaleFT:

  • G Suite
  • Okta
  • GitHub

If your organization uses one of these providers you can get started by creating a new team and choosing your identity provider during signup.

Specific SAML configuration instructions are also available for some identity providers:

Other identity providers can be configured using a custom SAML configuration.

Creating a Team

SAML can only be configured in ScaleFT during signup, so to get started configuring SAML create a new team and choose SAML authentication when prompted.

Identity Provider Configuration

Once you reach the SAML configuration step in the ScaleFT signup process you’ll need to configure your identity provider. The ScaleFT SAML signup form will provide you with several of the necessary parameters:

  • Assertion Consumer Service URL - some identity providers also require that you input this as the “Recipient”
  • Service Provider Entity ID - sometimes called “Audience” or “Service Provider Issuer”
  • Service Provider Certificate - this is used to verify the signature of SAML requests, but it is safe to skip this if your identity provider doesn’t require it.

Attribute Configuration

You’ll also need to configure your identity provider to expose several SAML attributes. You can choose any name you want for these attributes, but be sure to make note of them; you’ll need to enter them into ScaleFT under Attribute Mapping.

  • Login (ScaleFT username)
  • Email
  • First Name
  • Last Name
  • SSH Username (optional: if you omit this and use ScaleFT for SSH ScaleFT will generate SSH user names based on the Login attribute)

These must be SAML attributes, ScaleFT will not interpret names such as “SAML_SUBJECT” to be anything other than an attribute name.

Other Considerations

  • ScaleFT requires that identity providers sign responses, assertions, or both. You’ll need to supply a certificate to verify these under Identity Provider Information.
  • ScaleFT requests persistent (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent) SAML NameIDs to establish a mapping between users in your identity system and users in ScaleFT. Any value which is unique to the user and doesn’t change over time will satisfy this requirement, even if it isn’t psuedo-random like the SAML specification requires.
  • ScaleFT accepts SAML responses via HTTP POST binding.
  • ScaleFT uses just-in-time user provisioning, so if your identity provider supports another provisioning mechanism leave this disabled for now.
    • Support for SCIM 2.0 is coming soon.
  • ScaleFT does not support IdP-initiated logins; if one is received we will redirect the user to the ScaleFT login screen where they can perform a Service Provider initiated login as normal.

ScaleFT Configuration

Once you’ve configured your identity provider, you’ll need to provide ScaleFT with several values.

Identity Provider SSO URL

Some identity providers call this the “Single Sign-On URL” or “SAML Endpoint”. This is the URL that ScaleFT will send users to when they attempt to log in. Copy the URL exactly as your identity provider supplies it into ScaleFT.

Identity Provider Entity ID

Some identity providers call this the “Issuer”. This identifies your identity provider, and is often specific to your ScaleFT configuration within the identity provider. ScaleFT will reject SAML responses whose Entity ID doesn’t match.

Identity Provider x.509 Certificate

This is the X.509 certificate which ScaleFT should use to verify the signature on SAML responses.

Attribute Mapping

In this section you will need to input the names of the attributes you configured in your identity provider. ScaleFT will use these attributes when creating new user accounts.

If your identity provider sends an attribute of the form:

<saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType"></saml:AttributeValue>

Then the attribute name you enter in ScaleFT would be Email.

Completing Signup

Important: before clicking “Authenticate with SAML” be sure that you have permission to access the application in your identity provider or authentication will fail. In some identity providers this can take a long time to propagate or requires a manual synchronization process.