Single Sign On (SSO)

saml sso in amberflo amberflo provides single sign on (sso) functionality to corporate accounts this is a security feature that allows it administrators to better manage employee access to third party accounts (in your case, the amberflo account) and avoid the need for employees to remember one more password this guide will walk you through the steps required to enable sso for your account how it works when sso is configured for your account, new users will be able to log in using their existing corporate identity they can do so by clicking on the continue with sso link at the bottom of the email/password login screen when on the sso sign in screen, the user can enter their corporate identity email address and then click the sign in button when they do so, we identify the domain from their email address the domain is used to link this user to the amberflo account that is associated with the same domain, and then, we automatically create amberflo users for the account getting started if you don't have an amberflo account yet, please go ahead and create one https //ui amberflo io/ using the standard sign up process now that you are logged in, go to the sso configuration page https //ui amberflo io/settings/account/sso you'll see the list of email domains verified for your account and the identity providers (idp) you configured for each domain if you do not have any email domains verified, you will be asked to contact us domain verification to get started, contact support mailto\ support\@amberflo io?subject=sso%20domain%20verification%20request to let us know a domain you wish to associate with your amberflo account once we verify you own the domain, we'll add it to the list, and you'll be able to configure an idp for that domain after you configure the idp, anyone having an email with the verified domain will be able to sso to your amberflo account identity provider configuration you can use any idp that supports the saml standard https //en wikipedia org/wiki/security assertion markup language the standard is supported by most of the popular user management services first you need to configure your idp to recognize amberflo to do this, you'll need the sso url and the audience values from amberflo you can find them by going to your sso settings page https //ui amberflo io/settings/account/sso and clicking configure on one of your verified email domains you can find instructions for specific services in the appendix below then, you'll need to register your idp on amberflo depending on what your idp provides you with, we'll need its metadata url or metadata xml you will be required to provide one or the other also, you can give your idp a name (for ui listing purposes only) now, your colleagues can sign in to your amberflo account using their corporate identity faq sso vs password sign in a user can only have one sign in method, sso or password based if you are using sso, then our recommendation is to have a single password based user, the "root" user of the account, and have all other users sign in via sso if a user is using password based sign in and needs to switch to sso, then you need to remove him from the account first after a user signs in for the first time with sso, his role will be set to analyst, and you might need to change it manually this is the case even if the user was password based before idp initiated sign in our authentication service provider does not support an authentication flow that starts from the idp’s app you must visit https //ui amberflo io https //ui amberflo io/ and click continue with sso to login to amberflo through sso you will encounter a invalid samlresponse or relaystate from identity provider error when attempting to login from the idp's app a workaround is to create a "bookmark" in your idp, and have users sign in by clicking on it common errors invalid samlresponse or relaystate from identity provider usually happens when one attemps an idp initiated sign in this is not supported appendix identity provider setup you'll find instructions for specific identity providers below can't find your provider? feel free to contact us for help okta on your okta admin console, navigate to applications , click create app integration , select saml 2 0 , then click next on the general settings , set the app name to "amberflo" then click next on the saml settings , set the fields like this leave the other fields with the default values field value single sign on url the sso url given when configuring a domain from the sso config page https //ui amberflo io/settings/account/sso audience uri (sp entity id) the audience given when configuring a domain from the sso config page https //ui amberflo io/settings/account/sso name id format set to emailaddress application username set to email scroll down to attribute statements add a single entry name name format value http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress unspecified user email scroll down and click next now select i'm an okta customer adding an internal app and click finish you'll see a box highlighted in yellow it contains a link to the identity provider metadata copy this link and input it when registering the idp in amberflo that's it troubleshooting okta sso receiving error invalid samlresponse or relaystate from identity provider our service provider does not support an authentication flow that starts from the idp’s app you must visit https //ui amberflo io https //ui amberflo io/ and click continue with sso to login to amberflo through sso you can also go directly to https //ui amberflo io/sso https //ui amberflo io/sso as an alternative, you can bookmark the direct login link using these directions from okta https //help okta com/oag/en us/content/topics/access gateway/add app saml pass thru add bookmark htm please reach out to us mailto\ support\@amberflo io for your direct login link auth0 on your auth0 admin console, navigate to applications , click create application , type in "amberflo" in the name field, select single page web applications , and then click next now go to the addons tab and activate the saml2 addon on the addon configuration modal, go to the settings tab add amberflo's sso url in the application callback url field, and update the settings json to the following value, making sure to use the amberflo provided audience value { "audience" "\<amberflo's audience>", "mappings" { "email" "http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress" }, "nameidentifierformat" "urn\ oasis\ names\ tc\ saml 1 1\ nameid format\ emailaddress", "nameidentifierprobes" \[ "http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress" ] } scroll down and click save now go back to the settings tab you'll see an identity provider metadata download link copy this link and input it when creating the identity provider in amberflo that's it google workspace on your google workspace admin console https //admin google com/ , navigate to apps > web and mobile apps click add app > add custom saml app on the app details page, enter the name of the custom app in our example, we named it amberflo click continue on the google identity provider details page, get the setup information needed by the service provider using the download the idp metadata option you will use the provided xml for the metadata xml value when configuring your idp in amberflo click continue in the service provider details window, enter an acs url and entity id these values are all provided by clicking the configure button for the domain you are configuring at settings > account > single sign on https //ui amberflo io/settings/accounts/sso use the single sign on url for acs url value and audience restriction value for entity id in the name id format dropdown, select email in the name id dropdown , select basic information > primary email click continue under google directory attributes, select primary email in the google directory attributes dropdown under app attributes input, enter http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress click finish back on your google workspace admin console https //admin google com/ , navigate to apps > web and mobile apps select your newly created saml app click user access to turn on a service for everyone in your organization click on for everyone and then click save after finishing this setup process, you will need to log out of your google workspace account and clear your cache if you do not, you may see a not a saml app error after logging out of your account, if you still encounter this error, you may need to wait a few minutes for google to associate your workspace with amberflo that's it troubleshooting google workspace sso receiving error invalid samlresponse or relaystate from identity provider our service provider does not support an authentication flow that starts from the idp’s app you must visit https //ui amberflo io https //ui amberflo io/ and click continue with sso to login to amberflo through sso receiving error app not configured for user if you are signed into one google account, a ui to pick the account you want to use will not be displayed there will be an attempt to log you in with the one google account you are signed in as if this account is not the one configured for saml with amberflo, you will receive the above mentioned error ensure that you are are signed in with the google account that is configured for sso with amberflo you can try logging in an incognito/private window to verify that this is the issue