SAML authentication allows members of your organization to access all their Nulab products using single sign-on (SSO).
In this guide, we’ll show you how to:
- Prepare for SAML authentication
- Set up SAML authentication
- Disable SAML authentication
Prepare for SAML authentication
With SAML authentication, members sign in with their Managed Account, which is authenticated through your organization’s identity provider (IdP).
You’ll need your Nulab organization ID and any IdP that supports SAML 2.0 including:
- Azure AD
- Google Cloud Identity
- Okta
- OneLogin (can’t use mobile app when RelayState is set)
- Keycloak
- CloudGate UNO
You should also maintain at least one non-Managed Account (Nulab Account) to prevent losing access to your Nulab products if there are issues with your SAML authentication. This account should be held by an admin or plan admin and can’t be the same email used for a Managed Account.
Set up SAML authentication
Members with existing non-Managed Accounts won’t be able to access Nulab products until their Managed Account is created. Therefore, we suggest setting up SAML authentication outside of working hours.
Add Nulab to your IdP
You’ll need the following information to add Nulab to your IdP:
- Entity ID
- Found in Organization settings > Single-sign on > Manage
- Endpoint URL (ACS)
- Found in Organization settings > Single-sign on > Manage
- Name ID
- Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- Email must match the Managed Account to avoid login issues
- Signed certificate
- The SAML response and/or assertion must be signed or required. Having both signed provides better security.
- Bindings
- SAML request: HTTP-Redirect binding
- SAML response: HTTP-POST binding
- RelayState
- Lets you start a product (e.g., Backlog) from the application list in the IdP
- Tells the product where to redirect users once authentication is complete
- Only one product per organization can be configured
Product | URL |
backlog.com | https://{Backlog Space ID}.backlog.com/NulabAccountAuthentication.action |
backlogtool.com | https://{Backlog Space ID}.backlogtool.com/NulabAccountAuthentication.action" |
Cacoo | https://cacoo.com/signin/nulab |
Nulab Pass doesn’t support single logout (SLO) or session duration even if configured in your IdP.
Add IdP details to Nulab settings
To access SAML authentication in Nulab:
- Go to your organization settings.
- Select “Single sign-on” from the menu on the left.
- Select “Manage.”
In the dialog:
- Select “Enable” at the top of the dialog.
- Enter the information from your IdP.
IdP entity ID | Unique ID from your IdP where Nulab will accept authentication requests. |
IdP login URL | URL from the IdP where users are redirected when logging in with SSO. |
Certificate (Base64) | Public key to verify your IdP. After the expiration date, you won’t be able log in with SSO. Don’t include “-----BEGIN CERTIFICATE-----" in this field. |
- Select “Save.”
Disable SAML authentication
Disabling SAML authentication means members with Managed Accounts won’t be able to log in. To give them access, remove their Managed Account and re-invite them as a non-Managed Account member.
Disabling SAML authentication won’t cancel your Nulab Pass plan, and you can re-enable it any time without having to re-enter the information.
To disable SAML authentication:
- Go to your organization settings.
- Select “Single sign-on” from the menu on the left.
- Select “Manage.”
- Deselect “Enable” in the dialog.
- Select “Save.”