Single Sign On
SAML SSO in Amberflo
Amberflo provides Single Sign On (SSO) functionality to corporate accounts. This is a security feature that allows IT administrators to better manage employee access to third party accounts (in your case, the Amberflo account) and avoid the need for employees to remember one more password.
This guide will walk you through the steps required to enable SSO for your account.
How it Works
When SSO is configured for your account, new users will be able to log in using their existing corporate identity. They can do so by clicking on Continue with SSO link at the bottom of the Email/Password Login screen.
When on the SSO sign-in screen, the user can enter their corporate identity email address and then click the Sign In button.
When they do so, we identify the domain from their email address. The domain is used to link this user to the Amberflo account that is associated with the same domain, and then, we automatically create Amberflo users for the account.
Getting Started
If you don't have an Amberflo account yet, please go ahead and create one using the standard sign-up process.
Now that you are logged in, go to the SSO configuration page. You'll see the list of email domains verified for your account and the Identity Providers (IdP) you configured for each domain.
If you do not have any email domains verified, you will be asked to contact us.
Domain Verification
To get started, contact support to let us know a domain you wish to associate with your Amberflo account. Once we verify you own the domain, we'll add it to the list, and you'll be able to configure an IdP for that domain.
After you configure the IdP, anyone having an email with the verified domain will be able to SSO to your Amberflo account.
Identity Provider Configuration
You can use any IdP that supports the SAML standard. The standard is supported by most of the popular user management services.
First you need to configure your IdP to recognize Amberflo. To do this, you'll need the SSO URL and the Audience values from Amberflo. You can find them by going to your SSO settings page and clicking Configure on one of your verified email domains. You can find instructions for specific services in the Appendix below.
Then, you'll need to register your IdP on Amberflo. Depending on what your IdP provides you with, we'll need its Metadata URL or Metadata XML. You will be required to provide one or the other. Also, you can give your IdP a Name (for UI listing purposes only).
Now, your colleagues can sign in to your Amberflo account using their corporate identity.
FAQ
SSO vs Password sign-in
A user can only have one sign-in method, SSO or password-based.
If you are using SSO, then our recommendation is to have a single password-based user, the "root" user of the account, and have all other users sign-in via SSO.
If a user is using password based sign-in and needs to switch to SSO, then you need to remove him from the account first.
After a user signs in for the first time with SSO, his role will be set to Analyst, and you might need to change it manually. This is the case even if the user was password-based before.
IdP initiated sign-in
Our authentication service provider does not support an authentication flow that starts from the IdP’s app.
You must visit https://ui.amberflo.io and click Continue with SSO to login to Amberflo through SSO. You will encounter a Invalid samlResponse or relayState from identity provider error when attempting to login from the IdP's app.
A workaround is to create a "bookmark" in your IdP, and have users sign-in by clicking on it.
Common errors
Invalid samlResponse or relayState from identity provider
Usually happens when one attemps an Idp initiated sign-in. This is not supported.
Appendix: Identity Provider Setup
You'll find instructions for specific identity providers below. Can't find your provider? Feel free to contact us for help.
Okta
On your Okta admin console, navigate to Applications, click Create App Integration, select SAML 2.0, then click Next.
On the General Settings, set the App name to "Amberflo" then click Next.
On the SAML Settings, set the fields like this:
| Field | Value |
|---|---|
| Single sign on URL | The SSO URL given when configuring a domain from the SSO config page |
| Audience URI (SP Entity ID) | The Audience given when configuring a domain from the SSO config page |
| Name ID format | Set to EmailAddress |
| Application username | Set to Email |
Leave the other fields with the default values.
Scroll down to Attribute Statements. Add a single entry:
| Name | Name Format | Value |
|---|---|---|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | Unspecified | user.email |
Scroll down and click Next.
Now select I'm an Okta customer adding an internal app and click Finish.
You'll see a box highlighted in yellow. It contains a link to the identity provider metadata. Copy this link and input it when registering the IdP in Amberflo.
That's it.
Troubleshooting Okta SSO
- Receiving error Invalid samlResponse or relayState from identity provider
- Our service provider does not support an authentication flow that starts from the IdP’s app. You must visit https://ui.amberflo.io and click Continue with SSO to login to Amberflo through SSO. You can also go directly to https://ui.amberflo.io/sso.
- As an alternative, you can bookmark the direct login link using these directions from Okta. Please reach out to us for your direct login link.
Auth0
On your Auth0 admin console, navigate to Applications, click Create Application, type in "Amberflo" in the Name field, select Single Page Web Applications, and then click Next.
Now go to the Addons tab and activate the SAML2 addon.
On the addon configuration modal, go to the Settings tab.
Add Amberflo's SSO URL in the Application Callback URL field, and update the Settings JSON to the following value, making sure to use the Amberflo provided Audience value.
{
"audience": "<Amberflo's Audience>",
"mappings": {
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
},
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
]
}
Scroll down and click Save.
Now go back to the Settings tab. You'll see an Identity Provider Metadata download link. Copy this link and input it when creating the identity provider in Amberflo.
That's it.
Google Workspace
On your Google Workspace admin console, navigate to Apps > Web and mobile apps.
Click Add App > Add custom SAML app.
On the App Details page, enter the name of the custom app. In our example, we named it amberflo. Click Continue.
On the Google Identity Provider details page, get the setup information needed by the service provider using the Download the IdP metadata option. You will use the provided XML for the Metadata XML value when configuring your IdP in Amberflo. Click Continue.
In the Service Provider Details window, enter an ACS URL and Entity ID. These values are all provided by clicking the Configure button for the domain you are configuring at Settings > Account > Single Sign-on. Use the Single Sign-On URL for ACS URL value and Audience Restriction Value for Entity ID.
In the Name ID Format dropdown, select EMAIL. In the Name ID dropdown, Select Basic Information > Primary Email. Click Continue.
Under Google Directory attributes, select Primary email in the Google Directory attributes dropdown.
Under App attributes input, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Click Finish.
Back on your Google Workspace admin console, navigate to Apps > Web and mobile apps.
Select your newly created SAML app. Click User access.
To turn on a service for everyone in your organization. Click On for everyone and then click Save.
After finishing this setup process, you will need to log out of your Google Workspace account and clear your cache. If you do not, you may see a not_a_saml_app error. After logging out of your account, if you still encounter this error, you may need to wait a few minutes for Google to associate your workspace with Amberflo.
That's it.
Troubleshooting Google Workspace SSO
- Receiving error Invalid samlResponse or relayState from identity provider
- Our service provider does not support an authentication flow that starts from the IdP’s app. You must visit https://ui.amberflo.io and click Continue with SSO to login to Amberflo through SSO.
- Receiving error app_not_configured_for_user
- If you are signed into one Google account, a UI to pick the account you want to use will not be displayed. There will be an attempt to log you in with the one Google account you are signed in as. If this account is not the one configured for SAML with Amberflo, you will receive the above mentioned error. Ensure that you are are signed in with the Google account that is configured for SSO with Amberflo. You can try logging in an Incognito/Private window to verify that this is the issue.
Updated 5 months ago