Single Sign On (SSO)

saml sso in amberflo amberflo supports single sign on (sso) via saml to enhance security and simplify user access for corporate accounts this feature allows it administrators to manage employee access centrally and eliminates the need for separate amberflo credentials how it works once sso is enabled users can log in using their corporate identity on the login page, they should select continue with sso at the bottom of the email/password login form on the sso sign in screen, users enter their corporate email address and click sign in to authenticate through their identity provider this setup ensures secure, passwordless access to amberflo for your organization’s team members when they do so, we identify the domain from their email address the domain is used to link this user to the amberflo account that is associated with the same domain, and then, we automatically create amberflo users for the account getting started with saml sso once logged in, navigate to the https //ui amberflo io/settings/account/sso page there, you’ll see a list of verified email domains associated with your account the identity providers (idps) configured for each domain if you do not have any email domains verified, you will be asked to contact us domain verification if no email domains are verified yet, you’ll be prompted to contact amberflo support to start the verification process mailto\ support\@amberflo io?subject=sso%20domain%20verification%20request with the domain you want to associate with your amberflo account once ownership is verified, the domain will appear in your list afterward, you can configure an idp for that domain note once an idp is configured, anyone with an email address from the verified domain will be able to log in using sso identity provider configuration amberflo supports any identity provider (idp) that adheres to the https //en wikipedia org/wiki/security assertion markup language , including all major enterprise identity platforms to configure in your idp, set up amberflo as a new application using the sso url and audience values from amberflo these can be found on the amberflo https //ui amberflo io/settings/access security/sso page by clicking configure on a verified domain register your idp in amberflo by providing one of the following metadata url metadata xml you may also assign a name to your idp for display purposes in the ui now, your colleagues can sign in to your amberflo account using their corporate identity faq sso vs password sign in each user can only use one sign in method either sso or password based login if your team is using sso, it’s recommended to maintain a single password based "root" user and have all other users sign in via sso if a user currently signs in with a password and needs to switch to sso, they must first be removed from the account when a user signs in with sso for the first time, they are automatically assigned the analyst role if the user previously had a different role, you’ll need to manually update their role after the switch idp initiated sign in amberflo does not support idp initiated sign ins (i e , starting login from your identity provider's dashboard) users must visit https https //ui amberflo io/ and click continue with sso to log in attempting to log in directly from the idp may result in the following error invalid samlresponse or relaystate from identity provider workaround create a “bookmark” or “link app” in your idp that directs users to https //ui amberflo io to initiate the login flow correctly common errors invalid samlresponse or relaystate from identity provider this typically occurs when trying to perform an idp initiated login , which is not supported by amberflo ensure users always start from the amberflo login page to avoid this error appendix identity provider setup you’ll find instructions for specific identity providers below if your provider isn’t listed, please reach out to us for assistance okta on your okta admin console, navigate to applications , click create app integration , select saml 2 0 , then click next on the general settings , set the app name to "amberflo" then click next on the saml settings , set the fields like this field value single sign on url the sso url given when configuring a domain from the https //ui amberflo io/settings/access security/sso audience uri (sp entity id) the audience given when configuring a domain from the https //ui amberflo io/settings/access security/sso name id format set to emailaddress application username set to email leave the other fields with the default values scroll down to attribute statements add a single entry name name format value http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress unspecified user email scroll down and click next now select i'm an okta customer adding an internal app and click finish you'll see a box highlighted in yellow it contains a link to the identity provider metadata copy this link and input it when registering the idp in amberflo that's it troubleshooting okta sso error invalid samlresponse or relaystate from identity provider this error occurs because our authentication service does not support an authentication flow initiated from the identity provider (idp) app to resolve go to https //ui amberflo io and click continue with sso or navigate directly to https //ui amberflo io/sso alternative workaround you can bookmark the direct login link in okta follow https //help okta com/oag/en us/content/topics/access gateway/add app saml pass thru add bookmark htm if you need your direct login link, please mailto\ support\@amberflo io and we’ll provide it auth0 on your auth0 admin console, navigate to applications , click create application , type in "amberflo" in the name field, select single page web applications , and then click next now go to the addons tab and activate the saml2 addon on the addon configuration modal, go to the settings tab add amberflo's sso url in the application callback url field, and update the settings json to the following value, making sure to use the amberflo provided audience value { "audience" "\<amberflo's audience>", "mappings" { "email" "http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress" }, "nameidentifierformat" "urn\ oasis\ names\ tc\ saml 1 1\ nameid format\ emailaddress", "nameidentifierprobes" \[ "http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress" ] } scroll down and click save now go back to the settings tab you'll see an identity provider metadata download link copy this link and input it when creating the identity provider in amberflo that's it google workspace on your https //admin google com/ , navigate to apps > web and mobile apps click add app > add custom saml app on the app details page, enter the name of the custom app in our example, we named it amberflo click continue on the google identity provider details page, get the setup information needed by the service provider using the download the idp metadata option you will use the provided xml for the metadata xml value when configuring your idp in amberflo click continue in the service provider details window, enter an acs url and entity id these values are all provided by clicking the configure button for the domain you are configuring at https //ui amberflo io/settings/access security/sso use the single sign on url for acs url value and audience restriction value for entity id in the name id format dropdown, select email in the name id dropdown , select basic information > primary email click continue under google directory attributes, select primary email in the google directory attributes dropdown under app attributes input, enter http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress click finish back on your https //admin google com/ , navigate to apps > web and mobile apps select your newly created saml app click user access to turn on a service for everyone in your organization click on for everyone and then click save after finishing this setup process, you will need to log out of your google workspace account and clear your cache if you do not, you may see a not a saml app error after logging out of your account, if you still encounter this error, you may need to wait a few minutes for google to associate your workspace with amberflo that's it troubleshooting google workspace sso error invalid samlresponse or relaystate from identity provider this error occurs when attempting to initiate login from the identity provider (idp) app amberflo does not support idp initiated sign ins to resolve visit https //ui amberflo io click continue with sso to log in through sso error app not configured for user this happens when you are signed into a google account that is not configured for sso with amberflo google automatically attempts to log in using that account without letting you choose to resolve make sure you are signed into the correct google account configured for amberflo sso try logging in via an incognito/private browser window to choose the correct account