Single Sign On

SAML SSO in Amberflo

Amberflo provides Single Sign On (SSO) functionality to corporate accounts. This is a security feature that allows IT administrators to better manage employee access to third party accounts (in your case, the Amberflo account) and avoid the need for employees to remember one more password.

This guide will walk you through the steps required to enable SSO for your account.

How it Works

When SSO is configured for your account, new users will be able to log in using their existing corporate identity. They can do so by clicking on Continue with SSO link at the bottom of the Email/Password Login screen.

1514

When on the SSO sign-in screen, the user can enter their corporate identity email address and then click the Sign In button.

1622

When they do so, we identify the domain from their email address. The domain is used to link this user to the Amberflo account that is associated with the same domain, and then, we automatically create Amberflo users for the account.

Getting Started

If you don't have an Amberflo account yet, please go ahead and create one using the standard sign-up process.

Now that you are logged in, go to the SSO configuration page. You'll see the list of email domains verified for your account and the Identity Providers (IdP) you configured for each domain.

If you do not have any email domains verified, you will be asked to contact us.

2502

Domain Verification

To get started, contact support to let us know a domain you wish to associate with your Amberflo account. Once we verify you own the domain, we'll add it to the list, and you'll be able to configure an IdP for that domain.

After you configure the IdP, anyone having an email with the verified domain will be able to SSO to your Amberflo account.

Identity Provider Configuration

You can use any IdP that supports the SAML standard. The standard is supported by most of the popular user management services.

First you need to configure your IdP to recognize Amberflo. To do this, you'll need the SSO URL and the Audience values from Amberflo. You can find them by going to your SSO settings page and clicking Configure on one of your verified email domains. You can find instructions for specific services in the Appendix below.

Then, you'll need to register your IdP on Amberflo. Depending on what your IdP provides you with, we'll need its Metadata URL or Metadata XML. You will be required to provide one or the other. Also, you can give your IdP a Name (for UI listing purposes only).

1960

Now, your colleagues can sign in to your Amberflo account using their corporate identity.

Caveats

  • Only new users will be able to sign in with SSO. So, if you already have colleagues on your account, you will need to remove them before they can sign in with SSO.
  • Our authentication service provider does not support an authentication flow that starts from the IdP’s app. You must visit https://ui.amberflo.io and click Continue with SSO to login to Amberflo through SSO. You will encounter a Invalid samlResponse or relayState from identity provider error when attempting to login from the IdP's app.

Appendix: Identity Provider Setup

You'll find instructions for specific identity providers below. Can't find your provider? Feel free to contact us for help.

Okta

On your Okta admin console, navigate to Applications, click Create App Integration, select SAML 2.0, then click Next.

1061

On the General Settings, set the App name to "Amberflo" then click Next.

749

On the SAML Settings, set the fields like this:

FieldValue
Single sign on URLThe SSO URL given when configuring a domain from the SSO config page
Audience URI (SP Entity ID)The Audience given when configuring a domain from the SSO config page
Name ID formatSet to EmailAddress
Application usernameSet to Email

Leave the other fields with the default values.

739

Scroll down to Attribute Statements. Add a single entry:

NameName FormatValue
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressUnspecifieduser.email
741

Scroll down and click Next.

Now select I'm an Okta customer adding an internal app and click Finish.

You'll see a box highlighted in yellow. It contains a link to the identity provider metadata. Copy this link and input it when registering the IdP in Amberflo.

735

That's it.

Auth0

On your Auth0 admin console, navigate to Applications, click Create Application, type in "Amberflo" in the Name field, select Single Page Web Applications, and then click Next.

1071

Now go to the Addons tab and activate the SAML2 addon.

715

On the addon configuration modal, go to the Settings tab.

Add Amberflo's SSO URL in the Application Callback URL field, and update the Settings JSON to the following value, making sure to use the Amberflo provided Audience value.

{
  "audience": "<Amberflo's Audience>",
  "mappings": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  },
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ]
}
597

Scroll down and click Save.

Now go back to the Settings tab. You'll see an Identity Provider Metadata download link. Copy this link and input it when creating the identity provider in Amberflo.

580

That's it.

Google Workspace

On your Google Workspace admin console, navigate to Apps > Web and mobile apps.

3024

Click Add App > Add custom SAML app.

3024

On the App Details page, enter the name of the custom app. In our example, we named it amberflo. Click Continue.

3024

On the Google Identity Provider details page, get the setup information needed by the service provider using the Download the IdP metadata option. You will use the provided XML for the Metadata XML value when configuring your IdP in Amberflo. Click Continue.

3024

In the Service Provider Details window, enter an ACS URL and Entity ID. These values are all provided by clicking the Configure button for the domain you are configuring at Settings > Account > Single Sign-on. Use the Single Sign-On URL for ACS URL value and Audience Restriction Value for Entity ID.

In the Name ID Format dropdown, select EMAIL. In the Name ID dropdown, Select Basic Information > Primary Email. Click Continue.

3024

Under Google Directory attributes, select Primary email in the Google Directory attributes dropdown.
Under App attributes input, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Click Finish.

3024

Back on your Google Workspace admin console, navigate to Apps > Web and mobile apps.
Select your newly created SAML app. Click User access.

3024

To turn on a service for everyone in your organization. Click On for everyone and then click Save.

3024

After finishing this setup process, you will need to log out of your Google Workspace account and clear your cache. If you do not, you may see a not_a_saml_app error. After logging out of your account, if you still encounter this error, you may need to wait a few minutes for Google to associate your workspace with Amberflo.

That's it.

Troubleshooting Google Workspace SSO

  • Receiving error Invalid samlResponse or relayState from identity provider
    • Our service provider does not support an authentication flow that starts from the IdP’s app. You must visit https://ui.amberflo.io and click Continue with SSO to login to Amberflo through SSO.
  • Receiving error app_not_configured_for_user
    • If you are signed into one Google account, a UI to pick the account you want to use will not be displayed. There will be an attempt to log you in with the one Google account you are signed in as. If this account is not the one configured for SAML with Amberflo, you will receive the above mentioned error. Ensure that you are are signed in with the Google account that is configured for SSO with Amberflo. You can try logging in an Incognito/Private window to verify that this is the issue.