Set up SAML authentication

SAML single sign-on function is available when you subscribe to Nulab Pass. 

Read more about the summary of Nulab Pass.

SAML single sign-on

SAML SSO provides a simple and secure login for your entire organization, and users can seamlessly access multiple applications with a single set of credentials 

With the SAML authentication function in Nulab Pass, you can set up SAML single sign-on (SSO). This allows users to log in to Nulab cloud products with Managed Account by authenticating through your organization’s identity provider (IdP). 

SAML single sign-on does not automatically give access to all your Nulab cloud products. For Cacoo, administrators will still need to enable user access for this service. 

Any IdP that supports SAML 2.0 can be set up in SAML authentication. Security policies can be easily managed in your organization’s IdP. The IdPs listed below are supported by Nulab Pass. 

• Azure AD
• Google Cloud Identity
• Okta
• OneLogin (mobile app cannot be used when RelayState is set)
• Keycloak
• CloudGate UNO
  

Before the configuration

Before configuring SAML single sign-on, you will need to maintain at least a single Nulab Account that you can use to access your Nulab organization. This prevents losing access to your Nulab organization if the  SAML SSO is misconfigured.  

Please ensure that your Nulab Account:

• is an administrator (and plan admin) role with full access to your organization settings. 
• does not use the same email address as the Managed Account. Each registered email can only be used for one type of account: Managed Account or Nulab Account, not both

You can consider this Nulab Account an emergency account for administrators because it can be used for access when you cannot log in via SAML SSO. 

Aside from that, you can set up your Nulab Organization ID. It is a unique ID that users use for SAML single sign-on login for Nulab cloud products.

To learn more about setting up your Organization ID, please see Nulab Organization ID. 

Setting up the SAML authentication

You can set up your SAML authentication on the organization settings page. To access it, go to your Organization Settings > Organization tab > Authentication > Change.

Follow the steps below to get started. 

1. Retrieve solution provider (SP) details in the Nulab authentication settings page

Before configuring your IdP, you can get the SP Entity ID and SP endpoint URL (ACS) from the Nulab authentication page.

From the organization settings page, select Authentication > Change. A SAML authentication window will pop up, and you can retrieve the SP details.

2. Set up Nulab services to your IdP

Next, you will need to add Nulab services to your IdP to use SAML single sign-on. Please register the following information to map to your identity provider. 

• SP Entity ID
• SP Endpoint URL (ACS)
• Name ID (elements to identify the user)
  • NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • Set this to match the Managed Account’s email address.
    (Nulab Pass uses this value — email address — sent as the NameID to link the IdP account to the Managed Account. If the NameID and the Managed Account’s email address does not match, login cannot be performed.)
• Certificate signing
  • The SAML response or (/and) assertion must be signed or required. Having both the SAML response and assertion signed will provide better security.

You can also set the RelayState in your IdP, which instructs the application where to redirect the users after authentication is completed. It also allows you to start an application (Backlog etc.) from the application list screen from the IdP. For Nulab cloud products, only one app can be configured per organization. For example, if you have set up Backlog, you cannot set it up for Cacoo or Typetalk. 

Below are the RelayState details for each product:

Products	URL
backlog.com	https://{Backlog Space ID}.backlog.com/NulabAccountAuthentication.action
backlogtool.com	https://{Backlog Space ID}.backlogtool.com/NulabAccountAuthentication.action"
Cacoo	https://cacoo.com/signin/nulab
Typetalk	https://typetalk.com/signin/redirect/nulab

3. Copy details from your IdP to configure Nulab SAML authentication

From the organization settings page, select Authentication > Change. A SAML authentication window will pop up, and you can copy the relevant details from your identity provider and enter them into the respective fields.

Field	Descriptions
IdP Entity ID	This value is a unique ID from your identity provider(IdP) where Nulab will accept authentication requests.
IdP Endpoint URL (Login URL)	This value is a URL from the identity provider your user will be redirected to when logging in with Nulab SAML SSO.
X.509 Certificate (Base64)	This value begins with “-----BEGIN CERTIFICATE-----" but it is not required to include this phrase. It is a public key to verify your IdP. After you have entered and applied the certificate details, the “Certificate Expiration” date will be reflected. When the certificate issued by your IdP is expired, you will not be able to log in with SAML SSO.

Once you have completed entering the details above, click the “Enable SAML Authentication” checkbox in the Status section and click Apply to save the settings.

Disable SAML authentication

You can easily remove or disable SAML authentication at any time. Before removing or disabling the settings, please note that: 

• Users with Managed Accounts cannot log in to their account or your organization. They will need a Nulab Account for normal login, and the administrator will need to remove the Managed Account and re-invite the user as a Nulab Account user. 
• Removing or disabling SAML authentication does not unsubscribe you from Nulab Pass. If you no longer wish to continue with Nulab Pass services, you can stop the subscription. 

To disable SAML authentication: 

1. From the Organization Settings page, go to Organization > Authentication > Change.
2. Uncheck the “Enable SAML Authentication” checkbox in the status section and click Apply to save the changes.