Set up SAML authentication

SAML single sign-on function is available when you subscribe to Nulab Pass

Read more about the summary of Nulab Pass

SAML single sign-on

SAML SSO provides a simple and secure login for your entire organization and users can seamlessly access multiple applications with a single set of credentials 

With the SAML authentication function in Nulab Pass, you can set up SAML single sign-on (SSO). This allows your users to log in to Nulab cloud products with Managed Account by authenticating through your organization’s identity provider (IdP). 

SAML single sign-on does not automatically give access to all your Nulab cloud products. For Cacoo, administrators will still need to enable user access for this service. 

Any IdP that supports SAML 2.0 can be set up in SAML authentication. Security policies can be easily managed in your organization’s IdP. The IdPs listed below are supported by Nulab Pass. 

  • Azure AD
  • Google Cloud Identity
  • Okta
  • OneLogin (mobile app cannot be used when RelayState is set)
  • Keycloak
  • CloudGate UNO

Before the configuration

Before configuring SAML single sign-on,you will need to at least maintain a single Nulab Account that you can use to access your Nulab organization. This is to prevent losing access to your Nulab organization if the  SAML SSO is misconfigured.  

Please ensure that your Nulab Account:

  • is an administrator (and plan admin) role that has full access to your organization settings. 
  • does not use the same email address with the Managed Account. Each registered email can only be used for one type of account: Managed Account or Nulab Account, not both

You can consider this Nulab Account as an emergency account for administrators because it can be used for access when you are unable to login via SAML SSO. 

Aside from that, you can set up your Nulab Organization ID. It is a unique ID that users use for SAML single sign-on login for Nulab cloud products.

To learn more about setting up your Organization ID, please see Nulab Organization ID

Setting up the SAML authentication

You can set up your SAML authentication in the organization settings page. To access it, go to your Organization Settings > Organization tab > Authentication > Change.

Do you know?

For existing users, note that while you are configuring SAML authentication, current Nulab Account users are not able to log in to your Nulab cloud products until the Managed Account is created. It is advisable to arrange or announce your schedule to your users to avoid any disruption of their work. 

Follow the steps below to get started. 

1. Retrieve solution provider (SP) details in the Nulab authentication settings page

Before configuring your IdP, you can get the SP Entity ID and SP endpoint URL (ACS) from the Nulab authentication page.

From the organization settings page, select Authentication > Change. A SAML authentication window will pop up and you can retrieve the SP details there.

2. Set up Nulab services to your IdP

Next, you will need to add Nulab services to your IdP for the use of SAML single sign-on. Please register the following information to map to your identity provider. 

  • SP Entity ID
  • SP Endpoint URL (ACS)
  • Name ID (elements to identify the user)
    • NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    • Set this to match the Managed Account’s email address.
      (Nulab Pass uses this value  email address — sent as the NameID to link the IdP account to the Managed Account. If the NameID and the Managed Account’s email address does not match, login cannot be performed.)
  • Certificate signing
    • The SAML response or (/and) assertion must be signed or required. Having both SAML response and assertion signed will provide better security.

Do you know?

  • Nulab pass does not support Single Logout (SLO) function or session duration configured in your IdP.
  • Nulab Pass uses the following bindings for SAML request and SAML response:
    - SAML Request: HTTP-Redirect binding
    - SAML Response: HTTP-POST binding

You can also set the RelayState in your IdP where it instructs the application where to redirect the users after authentication is completed. It also allows you to start an application (Backlog etc.) from the application list screen from the IdP. For Nulab cloud products, only one app can be configured per organization. For example, if you have set up Backlog, you are unable to set up for Cacoo or Typetalk. 

Below are the RelayState details for each product:

Products

URL

backlog.com

https://{Backlog Space ID}.backlog.com/NulabAccountAuthentication.action

backlogtool.com

https://{Backlog Space ID}.backlogtool.com/NulabAccountAuthentication.action"

Cacoo

https://cacoo.com/signin/nulab

Typetalk

https://typetalk.com/signin/redirect/nulab


3. Copy details from your IdP to configure Nulab SAML authentication

From the organization settings page, select Authentication > Change. A SAML authentication window will pop up and you can copy the relevant details from your identity provider and enter into the respective fields.

Field

Descriptions

IdP Entity ID

This value is a unique ID from your identity provider(IdP) where Nulab will accept authentication requests.

IdP Endpoint URL (Login URL)

This value is a URL from the identity provider where your user will be redirected to when logging in with Nulab SAML SSO.  

X.509 Certificate (Base64)

This value begins with “-----BEGIN CERTIFICATE-----" but it is not required to include this phrase.

It is a public key to verify your IdP. After you have entered and apply the certificate details, the “Certificate Expiration” date will be reflected. When the certificate issued by your IdP is expired, you will not be able to log in with SAML SSO.

Once you have completed entering the details above, click the “Enable SAML Authentication” checkbox at the Status section and click Apply to save the settings.

Disable SAML authentication

You can easily remove or disable SAML authentication at any time. Before removing or disabling the settings, please note that: 

  • Users with Managed Account are unable to login to their account or your organization. They will need a Nulab Account for normal login and the administrator will need to remove the Managed Account and re-invite the user as a Nulab Account user. 
  • Removing or disabling SAML authentication does not unsubscribe you from Nulab Pass. If you no longer wish to continue with Nulab Pass services, you can stop the subscription

To disable SAML authentication: 

  1. From the Organization Settings page, go to Organization > Authentication > Change.
  2. Uncheck the “Enable SAML Authentication” checkbox at the status section and click Apply to save the changes.

Do you know?

Your SAML authentication settings are retained and you can re-enable the SAML authentication at any time without needing to input the required details again. 
0 people think that it is helpful. Was this helpful for you?

Have a question we didn't answer?

Contact support