SAML single sign-on function is available when you subscribe to Nulab Pass.
Read more about the summary of Nulab Pass.
SAML single sign-on
SAML SSO provides a simple and secure login for your entire organization and users can seamlessly access multiple applications with a single set of credentials
With the SAML authentication function in Nulab Pass, you can set up SAML single sign-on (SSO). This allows your users to log in to Nulab cloud products with Managed Account by authenticating through your organization’s identity provider (IdP).
SAML single sign-on does not automatically give access to all your Nulab cloud products. For Cacoo, administrators will still need to enable user access for this service.
Besides Azure AD and Google Cloud Identity, any IdP that supports SAML 2.0 can be set up in SAML authentication. Security policies can be easily managed in your organization’s IdP.
Before the configuration
Before configuring SAML single sign-on,you will need to at least maintain a single Nulab Account that you can use to access your Nulab organization. This is to prevent losing access to your Nulab organization if the SAML SSO is misconfigured.
Please ensure that your Nulab Account:
- is an administrator (and plan admin) role that has full access to your organization settings.
- does not use the same email address with the Managed Account. Each registered email can only be used for one type of account: Managed Account or Nulab Account, not both
You can consider this Nulab Account as an emergency account for administrators because it can be used for access when you are unable to login via SAML SSO.
Aside from that, you can set up your Nulab Organization ID. It is a unique ID that users use for SAML single sign-on login for Nulab cloud products.
To learn more about setting up your Organization ID, please see Nulab Organization ID.
Setting up the SAML authentication
You can set up your SAML authentication in the organization settings page. To access it, go to your Organization Settings > Organization tab > Authentication > Change.
Note: For existing users, note that while you are configuring SAML authentication, current Nulab Account users are not able to log in to your Nulab cloud products until the Managed Account is created. It is advisable to arrange or announce your schedule to your users to avoid any disruption of their work.
Follow the steps below to get started.
1. Retrieve solution provider (SP) details in the Nulab authentication settings page
Before configuring your IdP, you can get the SP Entity ID and SP endpoint URL (ACS) from the Nulab authentication page.
From the organization settings page, select Authentication > Change. A SAML authentication window will pop up and you can retrieve the SP details there.
2. Set up Nulab services to your IdP
Next, you will need to add Nulab services to your IdP for the use of SAML single sign-on. Please register the following information to map to your identity provider.
- SP Entity ID
- SP Endpoint URL (ACS)
- Name ID (elements to identify the user)
- NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- The value should be set to match the Managed Account email address value. - Certificate signing
- The SAML response or (/and) assertion must be signed or required. Having both SAML response and assertion signed will provide better security.
Note:
- Nulab pass does not support Single Logout (SLO) function or session duration configured in your IdP.
- Nulab Pass uses the following bindings for SAML request and SAML response:
- SAML Request: HTTP-Redirect binding
- SAML Response: HTTP-POST binding
You can also set the RelayState in your IdP where it instructs the application where to redirect the users after authentication is completed. It also allows you to start an application (Backlog etc.) from the application list screen from the IdP. For Nulab cloud products, only one app can be configured per organization. For example, if you have set up Backlog, you are unable to set up for Cacoo or Typetalk.
Below are the RelayState details for each product:
|
Products |
URL |
|
backlog.com |
https://{Backlog Space ID}.backlog.com/NulabAccountAuthentication.action |
|
backlogtool.com |
https://{Backlog Space ID}.backlogtool.com/NulabAccountAuthentication.action" |
|
Cacoo |
https://cacoo.com/signin/nulab |
|
Typetalk |
https://typetalk.com/signin/redirect/nulab |
3. Copy details from your IdP to configure Nulab SAML authentication
From the organization settings page, select Authentication > Change. A SAML authentication window will pop up and you can copy the relevant details from your identity provider and enter into the respective fields.
|
Field |
Descriptions |
|
IdP Entity ID |
This value is a unique ID from your identity provider(IdP) where Nulab will accept authentication requests. |
|
IdP Endpoint URL (Login URL) |
This value is a URL from the identity provider where your user will be redirected to when logging in with Nulab SAML SSO. |
|
X.509 Certificate (Base64) |
This value begins with “-----BEGIN CERTIFICATE-----" but it is not required to include this phrase. |
Once you have completed entering the details above, click the “Enable SAML Authentication” checkbox at the Status section and click Apply to save the settings.
Disable SAML authentication
You can easily remove or disable SAML authentication at any time. Before removing or disabling the settings, please note that:
- Users with Managed Account are unable to login to their account or your organization. They will need a Nulab Account for normal login and the administrator will need to remove the Managed Account and re-invite the user as a Nulab Account user.
- Removing or disabling SAML authentication does not unsubscribe you from Nulab Pass. If you no longer wish to continue with Nulab Pass services, you can stop the subscription.
To disable SAML authentication:
- From the Organization Settings page, go to Organization > Authentication > Change.
- Uncheck the “Enable SAML Authentication” checkbox at the status section and click Apply to save the changes.
Note: This will retain your SAML authentication settings and you can re-enable the SAML authentication at any time without needing to input the required details again.