2020-08-11 01:47:54 +02:00
|
|
|
# SAML authentication
|
2020-04-30 15:15:38 +02:00
|
|
|
|
2020-10-23 02:43:28 +02:00
|
|
|
Zulip supports using SAML authentication for single sign-on, both when
|
2020-04-30 15:15:38 +02:00
|
|
|
self-hosting or on the Zulip Cloud Plus plan.
|
|
|
|
|
docs: Add missing space to compound verbs “log in”, “set up”, etc.
Noun: backup, checkout, cleanup, login, logout, setup, shutdown, signup,
timeout.
Verb: back up, check out, clean up, log in, log out, set up, shut
down, sign up, time out.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-04-25 23:05:38 +02:00
|
|
|
This page documents details on how to set up SAML authentication with
|
2021-05-10 07:02:14 +02:00
|
|
|
Zulip with various common SAML identity providers.
|
2020-04-30 15:15:38 +02:00
|
|
|
|
|
|
|
## Configure SAML with Okta
|
|
|
|
|
|
|
|
1. Make sure you have created your organization. We'll assume its URL is
|
|
|
|
`https://<subdomain>.zulipchat.com` in the instructions below.
|
2021-08-20 19:52:01 +02:00
|
|
|
|
2020-04-30 15:15:38 +02:00
|
|
|
1. Set up SAML authentication by following
|
|
|
|
[Okta's documentation](https://developer.okta.com/docs/guides/saml-application-setup/overview/).
|
|
|
|
Specify:
|
|
|
|
* `https://<subdomain>.zulipchat.com/complete/saml/` for the "Single sign on URL"`.
|
2020-06-08 23:04:39 +02:00
|
|
|
* `https://zulip.com` for the "Audience URI (SP Entity ID)".
|
2020-04-30 15:15:38 +02:00
|
|
|
* Skip "Default RelayState".
|
|
|
|
* Skip "Name ID format".
|
|
|
|
* Set 'Email` for "Application username format".
|
|
|
|
* Provide "Attribute statements" of `email` to `user.email`,
|
|
|
|
`first_name` to `user.firstName`, and `last_name` to `user.lastName`.
|
2021-08-20 19:52:01 +02:00
|
|
|
|
2020-04-30 15:15:38 +02:00
|
|
|
1. Assign the appropriate accounts in the "Assignments" tab. These are the users
|
|
|
|
that will be able to log in to your Zulip organization.
|
2021-08-20 19:52:01 +02:00
|
|
|
|
2020-05-28 02:00:13 +02:00
|
|
|
1. Send the following information to us at support@zulip.com:
|
2020-04-30 15:15:38 +02:00
|
|
|
* The URL of your zulipchat-hosted organization.
|
|
|
|
* The "Identity Provider metadata" provided by Okta for the application.
|
|
|
|
* The name "X" that will be displayed on the "Log in with X" button in Zulip.
|
|
|
|
* Optionally you can also send us an icon that should be shown on the button.
|
2021-08-20 19:52:01 +02:00
|
|
|
|
2020-04-30 15:15:38 +02:00
|
|
|
1. We will take care of the server-side setup and let you know as soon as it's ready.
|
|
|
|
|
2020-10-23 02:43:28 +02:00
|
|
|
## Configure SAML with OneLogin
|
2020-04-30 15:15:38 +02:00
|
|
|
|
|
|
|
1. Make sure you have created your organization. We'll assume its URL is
|
|
|
|
`https://<subdomain>.zulipchat.com` in the instructions below.
|
2021-08-20 19:52:01 +02:00
|
|
|
|
2020-10-23 02:43:28 +02:00
|
|
|
1. Navigate to the OneLogin Applications page, and click "Add App".
|
2021-08-20 19:52:01 +02:00
|
|
|
|
2020-06-05 12:34:33 +02:00
|
|
|
1. Search for the "SAML Test Connector (IdP w/ attr w/ sign response)" app and select it.
|
2021-08-20 19:52:01 +02:00
|
|
|
|
2020-04-30 15:15:38 +02:00
|
|
|
1. Set a name and logo according to your preferences and click "Save". This doesn't affect anything in Zulip,
|
|
|
|
but will be shown on your OneLogin Applications page.
|
2021-08-20 19:52:01 +02:00
|
|
|
|
2020-04-30 15:15:38 +02:00
|
|
|
1. Go to the "Configuration" section:
|
2020-06-05 12:34:33 +02:00
|
|
|
* Leave the `RelayState` field empty.
|
2020-06-08 23:04:39 +02:00
|
|
|
* Set `https://zulip.com` as the Audience.
|
2020-06-05 12:34:33 +02:00
|
|
|
* Set `https://<subdomain>.zulipchat.com/complete/saml/` as the Recipient, ACS URL
|
2020-04-30 15:15:38 +02:00
|
|
|
and ACS URL Validator.
|
2021-08-20 19:52:01 +02:00
|
|
|
|
2020-06-05 12:34:33 +02:00
|
|
|
1. Go to the "Parameters" section. Ignore the pre-configured parameters that are already there
|
|
|
|
and add custom ones to match the following screenshot:
|
2020-04-30 15:15:38 +02:00
|
|
|
|
2020-10-23 02:43:28 +02:00
|
|
|
![OneLogin parameters](/static/images/help/onelogin_parameters.png)
|
2020-04-30 15:15:38 +02:00
|
|
|
|
2020-06-05 12:34:33 +02:00
|
|
|
Make sure to set the "Include in SAML assertion" flag on them.
|
2020-04-30 15:15:38 +02:00
|
|
|
|
|
|
|
1. The OneLogin side of configuration should be ready!
|
2020-05-28 02:00:13 +02:00
|
|
|
Send the following information to us at support@zulip.com:
|
2020-04-30 15:15:38 +02:00
|
|
|
* The URL of your zulipchat-hosted organization.
|
|
|
|
* The issuer URL from the "SSO" section. It contains Identity Provider metadata that we will need.
|
|
|
|
* The name "X" that will be displayed on the "Log in with X" button in Zulip.
|
|
|
|
* Optionally you can also send us an icon that should be shown on the button.
|
2021-08-20 19:52:01 +02:00
|
|
|
|
2020-04-30 15:15:38 +02:00
|
|
|
1. We will take care of the server-side setup and let you know as soon as it's ready.
|
|
|
|
|
2020-08-11 01:47:54 +02:00
|
|
|
## Related articles
|
2020-04-30 15:15:38 +02:00
|
|
|
|
|
|
|
* [SAML configuration][saml-readthedocs] for self-hosting.
|
|
|
|
|
|
|
|
[saml-readthedocs]: https://zulip.readthedocs.io/en/stable/production/authentication-methods.html#saml
|