Single Sign On

SAML SSO in Amberflo

Amberflo provides Single Sign On (SSO) functionality to corporate accounts. This is a security feature that allows IT administrators to better manage employee access to third party accounts (in your case, the Amberflo account) and avoid the need for employees to remember one more password.

This guide will walk you through the steps required to enable SSO for your account.

How it Works

When SSO is configured for your account, new users will be able to log in using their existing corporate identity. They can do so by clicking on Continue with SSO link at the bottom of the Email/Password Login screen.

15141514

When on the SSO sign-in screen, the user can enter their corporate identity email address and then click the Sign In button.

16221622

When they do so, we identify the domain from their email address. The domain is used to link this user to the Amberflo account that is associated with the same domain, and then, we automatically create Amberflo users for the account.

Getting Started

If you don't have an Amberflo account yet, please go ahead and create one using the standard sign-up process.

Now that you are logged in, go to the SSO configuration page. You'll see the list of email domains verified for your account and the Identity Providers (IdP) you configured for each domain.

If you do not have any email domains verified, you will be asked to contact us.

30243024

Domain Verification

To get started, contact support to let us know a domain you wish to associate with your Amberflo account. Once we verify you own the domain, we'll add it to the list, and you'll be able to configure an IdP for that domain.

After you configure the IdP, anyone having an email with the verified domain will be able to SSO to your Amberflo account.

Identity Provider Configuration

You can use any IdP that supports the SAML standard. The standard is supported by most of the popular user management services.

First you need to configure your IdP to recognize Amberflo. To do this, you'll need the SSO URL and the Audience values from Amberflo. You can find them by going to your SSO settings page and clicking Configure on one of your verified email domains. You can find instructions for specific services in the Appendix below.

Then, you'll need to register your IdP on Amberflo. Depending on what your IdP provides you with, we'll need its Metadata URL or Metadata XML. You will be required to provide one or the other. Also, you can give your IdP a Name (for UI listing purposes only).

30243024

Now, your colleagues can sign in to your Amberflo account using their corporate identity.

Caveats

Only new users will be able to sign in with SSO. So, if you already have colleagues on your account, you will need to remove them before they can sign in with SSO.

Appendix: Identity Provider Setup

You'll find instructions for specific identity providers below. Can't find your provider? Feel free to contact us for help.

Okta

On your Okta admin console, navigate to Applications, click Create App Integration, select SAML 2.0, then click Next.

10611061

On the General Settings, set the App name to "Amberflo" then click Next.

749749

On the SAML Settings, set the fields like this:

FieldValue
Single sign on URLThe SSO URL given when configuring a domain from the SSO config page
Audience URI (SP Entity ID)The Audience given when configuring a domain from the SSO config page
Name ID formatSet to EmailAddress
Application usernameSet to Email

Leave the other fields with the default values.

739739

Scroll down to Attribute Statements. Add a single entry:

NameName FormatValue
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressUnspecifieduser.email
741741

Scroll down and click Next.

Now select I'm an Okta customer adding an internal app and click Finish.

You'll see a box highlighted in yellow. It contains a link to the identity provider metadata. Copy this link and input it when registering the IdP in Amberflo.

735735

That's it.

Auth0

On your Auth0 admin console, navigate to Applications, click Create Application, type in "Amberflo" in the Name field, select Single Page Web Applications, and then click Next.

10711071

Now go to the Addons tab and activate the SAML2 addon.

715715

On the addon configuration modal, go to the Settings tab.

Add Amberflo's SSO URL in the Application Callback URL field, and update the Settings JSON to the following value, making sure to use the Amberflo provided Audience value.

{
  "audience": "<Amberflo's Audience>",
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  },
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ]
}
597597

Scroll down and click Save.

Now go back to the Settings tab. You'll see an Identity Provider Metadata download link. Copy this link and input it when creating the identity provider in Amberflo.

580580

That's it.

Google Workspace

On your Google Workspace admin console, navigate to Apps > Web and mobile apps.

30243024

Click Add App > Add custom SAML app.

30243024

On the App Details page, enter the name of the custom app. In our example, we named it amberflo. Click Continue.

30243024

On the Google Identity Provider details page, get the setup information needed by the service provider using the Download the IdP metadata option. You will use the provided XML for the Metadata XML value when configuring your IdP in Amberflo. Click Continue.

30243024

In the Service Provider Details window, enter an ACS URL and Entity ID. These values are all provided by clicking the Configure button for the domain you are configuring at Settings > Account > Single Sign-on. Use the Single Sign-On URL for ACS URL value and Audience Restriction Value for Entity ID.

In the Name ID Format dropdown, select EMAIL. In the Name ID dropdown, Select Basic Information > Primary Email. Click Continue.

30243024

Under Google Directory attributes, select Primary email in the Google Directory attributes dropdown.
Under App attributes input, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Click Finish.

30243024

Back on your Google Workspace admin console, navigate to Apps > Web and mobile apps.
Select your newly created SAML app. Click User access.

30243024

To turn on a service for everyone in your organization. Click On for everyone and then click Save.

30243024

That's it.