Guides
...
System Integrations
SSO - Identity

Single Sign On (SSO)

19min

SAML SSO in Amberflo

Amberflo provides Single Sign On (SSO) functionality to corporate accounts. This is a security feature that allows IT administrators to better manage employee access to third party accounts (in your case, the Amberflo account) and avoid the need for employees to remember one more password.

This guide will walk you through the steps required to enable SSO for your account.

How it Works

When SSO is configured for your account, new users will be able to log in using their existing corporate identity. They can do so by clicking on the Continue with SSO link at the bottom of the Email/Password Login screen.



Document image


When on the SSO sign-in screen, the user can enter their corporate identity email address and then click the Sign In button.



Document image


When they do so, we identify the domain from their email address. The domain is used to link this user to the Amberflo account that is associated with the same domain, and then, we automatically create Amberflo users for the account.

Getting Started

If you don't have an Amberflo account yet, please go ahead and create one using the standard sign-up process.

Now that you are logged in, go to the SSO configuration page. You'll see the list of email domains verified for your account and the Identity Providers (IdP) you configured for each domain.

If you do not have any email domains verified, you will be asked to contact us.



Document image


Domain Verification

To get started, contact support to let us know a domain you wish to associate with your Amberflo account. Once we verify you own the domain, we'll add it to the list, and you'll be able to configure an IdP for that domain.

After you configure the IdP, anyone having an email with the verified domain will be able to SSO to your Amberflo account.

Identity Provider Configuration

You can use any IdP that supports the SAML standard. The standard is supported by most of the popular user management services.

First you need to configure your IdP to recognize Amberflo. To do this, you'll need the SSO URL and the Audience values from Amberflo. You can find them by going to your SSO settings page and clicking Configure on one of your verified email domains. You can find instructions for specific services in the Appendix below.

Then, you'll need to register your IdP on Amberflo. Depending on what your IdP provides you with, we'll need its Metadata URL or Metadata XML. You will be required to provide one or the other. Also, you can give your IdP a Name (for UI listing purposes only).



Document image


Now, your colleagues can sign in to your Amberflo account using their corporate identity.

FAQ

SSO vs Password sign-in

A user can only have one sign-in method, SSO or password-based.

If you are using SSO, then our recommendation is to have a single password-based user, the "root" user of the account, and have all other users sign-in via SSO.

If a user is using password based sign-in and needs to switch to SSO, then you need to remove him from the account first.

After a user signs in for the first time with SSO, his role will be set to Analyst, and you might need to change it manually. This is the case even if the user was password-based before.

IdP initiated sign-in

Our authentication service provider does not support an authentication flow that starts from the IdP’s app.

You must visit https://ui.amberflo.io and click Continue with SSO to login to Amberflo through SSO. You will encounter a Invalid samlResponse or relayState from identity provider error when attempting to login from the IdP's app.

A workaround is to create a "bookmark" in your IdP, and have users sign-in by clicking on it.

Common errors

Invalid samlResponse or relayState from identity provider

Usually happens when one attemps an Idp initiated sign-in. This is not supported.

Appendix: Identity Provider Setup

You'll find instructions for specific identity providers below. Can't find your provider? Feel free to contact us for help.

Okta

On your Okta admin console, navigate to Applications, click Create App Integration, select SAML 2.0, then click Next.



Document image


On the General Settings, set the App name to "Amberflo" then click Next.

Document image


On the SAML Settings, set the fields like this:

Leave the other fields with the default values.

Field

Value

Single sign on URL

The SSO URL given when configuring a domain from the SSO config page

Audience URI (SP Entity ID)

The Audience given when configuring a domain from the SSO config page

Name ID format

Set to EmailAddress

Application username

Set to Email



Document image


Scroll down to Attribute Statements. Add a single entry:

Name

Name Format

Value

Unspecified

user.email

Document image


Scroll down and click Next.

Now select I'm an Okta customer adding an internal app and click Finish.

You'll see a box highlighted in yellow. It contains a link to the identity provider metadata. Copy this link and input it when registering the IdP in Amberflo.



Document image


That's it.

Troubleshooting Okta SSO

  • Receiving error Invalid samlResponse or relayState from identity provider

Auth0

On your Auth0 admin console, navigate to Applications, click Create Application, type in "Amberflo" in the Name field, select Single Page Web Applications, and then click Next.

Document image


Now go to the Addons tab and activate the SAML2 addon.



Document image


On the addon configuration modal, go to the Settings tab.

Add Amberflo's SSO URL in the Application Callback URL field, and update the Settings JSON to the following value, making sure to use the Amberflo provided Audience value.

JSON




Document image


Scroll down and click Save.

Now go back to the Settings tab. You'll see an Identity Provider Metadata download link. Copy this link and input it when creating the identity provider in Amberflo.



Document image


That's it.

Google Workspace

On your Google Workspace admin console, navigate to Apps > Web and mobile apps.



Document image


Click Add App > Add custom SAML app.



Document image


On the App Details page, enter the name of the custom app. In our example, we named it amberflo. Click Continue.



Document image


On the Google Identity Provider details page, get the setup information needed by the service provider using the Download the IdP metadata option. You will use the provided XML for the Metadata XML value when configuring your IdP in Amberflo. Click Continue.



Document image


In the Service Provider Details window, enter an ACS URL and Entity ID. These values are all provided by clicking the Configure button for the domain you are configuring at Settings > Account > Single Sign-on. Use the Single Sign-On URL for ACS URL value and Audience Restriction Value for Entity ID

In the Name ID Format dropdown, select EMAIL. In the Name ID dropdown, Select Basic Information > Primary Email. Click Continue.

Document image


Under Google Directory attributes, select Primary email in the Google Directory attributes dropdown. Under App attributes input, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Click Finish.



Document image


Back on your Google Workspace admin console, navigate to Apps > Web and mobile apps. Select your newly created SAML app. Click User access.



Document image


To turn on a service for everyone in your organization. Click On for everyone and then click Save.



Document image


After finishing this setup process, you will need to log out of your Google Workspace account and clear your cache. If you do not, you may see a not_a_saml_app error. After logging out of your account, if you still encounter this error, you may need to wait a few minutes for Google to associate your workspace with Amberflo.

That's it.

Troubleshooting Google Workspace SSO

  • Receiving error Invalid samlResponse or relayState from identity provider
    • Our service provider does not support an authentication flow that starts from the IdP’s app. You must visit https://ui.amberflo.io and click Continue with SSO to login to Amberflo through SSO
  • Receiving error app_not_configured_for_user
    • If you are signed into one Google account, a UI to pick the account you want to use will not be displayed. There will be an attempt to log you in with the one Google account you are signed in as. If this account is not the one configured for SAML with Amberflo, you will receive the above mentioned error. Ensure that you are are signed in with the Google account that is configured for SSO with Amberflo. You can try logging in an Incognito/Private window to verify that this is the issue.