Configure SAML-based SSO for SaaS deployments

Instabase supports security assertion markup language (SAML)-based authentication to manage access to your Instabase deployment. Using SAML-based single sign-on (SSO) lets you leverage your existing SSO identity provider (IdP) to automatically create new user accounts on the Instabase platform upon initial login. You can also optionally map existing groups configured in your IdP to groups in your Instabase deployment.

Instabase uses service provider (SP)-initiated SSO authentication and supports IdPs that use SAML 2.0. Supported IdPs include:

  • Microsoft Entra ID

  • Active Directory Federation Services (AD FS)

  • Auth0

  • Okta

  • PingFederate

Customer requirements

Enabling SAML on an Instabase SaaS deployment involves working closely with your Instabase support team. While your Instabase support team performs configuration steps on the Instabase side, it’s your responsibility to review this documentation and ensure the following customer requirements are met:

  1. At least one user in the deployment is configured as a site admin.

  2. You’ve created an app registration in your IdP according to the IdP configuration requirements. As part of this requirement, ensure that:

    • You can provide Instabase with the SP entity ID, SP name, and ACS URL values used in your app registration.

    • All user accounts in the deployment have credentials that match the uid and email attributes defined in the app registration.

  3. You’ve connected with Instabase support to discuss and apply the required SAML patches.

  4. (Optional) You’ve configured external group mappings.

Note

Be aware that applying SAML configuration requires downtime while the API and web interfaces restart. Work with your support team to establish when this required downtime is acceptable.

IdP configuration requirements

Info

This article uses the term app registration to refer to registering Instabase as a service provider in your IdP. The same concept is known as a relying party trust (AD FS), an application (Auth0), an enterprise application (Entra ID), an app integration (Okta), and an SP connection (PingFederate).

The SSO integration flow begins with you registering Instabase as a service provider in your IdP. The app registration must include specific information and attributes (also called claims), outlined below. After completing the app registration, you can provide the IdP metadata XML to Instabase as either an XML file or an endpoint directing to the XML metadata. Your Instabase representative then completes the SSO setup on the Instabase side.

Note

If configuring SSO for multiple Instabase deployments, you must create one app registration per Instabase deployment, each with a unique entity ID.

App registration requirements

This table outlines the required values from your app registration that you must provide to your Instabase representative. The table outlines the suggested value for each field, and the name of the corresponding field in select IdPs. The accuracy of the Corresponding IdP field column is not guaranteed as Instabase doesn’t closely monitor changes to external products’ UI.

Field Description Value Corresponding IdP field
SP entity ID A unique identifier, also called the entity ID. The suggested value is your Instabase deployment URL. For example https://dev.instabase.com.
Note
If using Auth0 as your IdP, the SP entity ID value in Instabase corresponds to the audience attribute in the SAML assertion. By default the audience value is the same as the Auth0 issuer. You must edit the audience value to match your Instabase deployment URL (or whatever value you’re using as the SP entity ID). See the Auth0 customize SAML assertions documentation for additional information.
The SP entity ID value is set in the following IdP fields:

- AD FS: Relying Party Trust Identifier
- Auth0: The audience attribute within the SAML assertion
- Entra ID: Identifier (Entity ID)
- Okta: Audience URI (SP Entity ID)/Audience Restriction
- PingFederate: Partner’s Entity ID (Connection ID)
SP name A label associated with the service provider, also called the entity label or SAML SP name. The suggested value is InstabaseSP, though any alphanumeric value is supported. The SP name value is set in the following IdP fields:

- AD FS: Display name
- Auth0: Name (Application name)
- Entra ID: Application name
- Okta: Application label
- PingFederate: Connection name
Assertion consumer service (ACS) URL The URL where the IdP redirects after the user successfully authenticates. The required value is https://{Your Instabase deployment URL}/account/sso/saml2.
For example, https://dev.instabase.com/account/sso/saml2.		 The ACS URL value is set in the following IdP fields:

- AD FS: Relying Party SAML 2.0 SSO service URL
- Auth0: Application Callback URL
- Entra ID: Reply URL (Assertion Consumer Service URL)
- Okta: Single Sign On URL
- PingFederate: Assertion Consumer Service URL

Attribute requirements

Your app registration must include the following attributes (also called claims), with the attribute’s name exactly matching the name written in the table below. For example, the attribute email cannot be substituted with a similar attribute, such as emailAddress.

Note

When configuring claims in Entra ID, do not define a Namespace value for the claim.

Attribute name Description Sample valid values Notes
email (Required) A unique email address that maps to the user’s corporate email address.
Note
The email and uid combination must be unique among all users.
jane.doe@corporation.com, john_doe@corporation.ca If a user’s email address changes, their Instabase account from the previous account must be manually migrated to the new address.
uid (Required) A unique user ID (UID) that maps to the user’s corporate username. The uid value becomes the user’s Instabase username.
Note
The email and uid combination must be unique among all users.
jane.doe, john_doe UIDs are case-sensitive and can only include alphanumeric values, periods, hyphens, and underscores. @ and # symbols are not supported.
groups (Optional) A group ID defined in the IdP.
IdP-defined group IDs can be mapped to Instabase groups. See the external group mappings documentation for additional information.		 The group ID as defined in the IdP. Each Instabase group can map to at most one IdP-defined group. However, the inverse is not true: the same IdP-defined group can be mapped to multiple Instabase groups.

If a user is removed from a given group on the IdP end, upon next Instabase login that change of status is synced and the user is removed from the corresponding Instabase group.

IdP metadata XML requirements

Instabase supports two methods of referencing the IdP metadata XML:

  • Local: Referencing a static metadata.xml file that is stored as a Kubernetes secret in the deployment.

  • Remote: Referencing a metadata-server endpoint where the XML file is hosted on the SAML provider metadata server.

After configuring your app registration and required claims, connect with your Instabase representative to provide your IdP metadata XML file or metadata-server endpoint. This table outlines where you can find the local or remote access value in select IdPs. The accuracy of this table is not guaranteed, as Instabase doesn’t closely monitor changes to external products’ UI.

Identity provider Local access value Remote access value
AD FS Download the federation metadata as an XML file from the federation metadata URL. This is typically found at AD FS > Service > Endpoints > Metadata URL path. For example: {Your host name}/FederationMetadata/2007-06/FederationMetadata.xml.
Auth0 Download the Identity Provider metadata file. (Available on the application details page under Addons > SAML 2 Web App > Usage.) Share the SAML metadata URL link. (Available on the application details page under Advanced Settings > Endpoints.)
Entra ID Download the Federation metadata XML file. (Available on the application’s Single sign-on page.) Share the App Federation Metadata Url link. (Available on the application’s Single sign-on page.)
Okta Download the Identity Provider metadata file. (Available on the application details page under Sign on > Settings.) Share the Identity Provider metadata link. (Available on the application details page under Sign on > Settings.)
PingFederate Download the metadata as an Identity Provider from the Metadata Export tab.

Reference: Service provider configuration details

In SaaS deployments, the service provider (Instabase backend) configuration is performed by Instabase. For reference and possible configuration troubleshooting, this section provides sample configurations and related backend information.

Service provider configuration parameters

The following configuration parameters are set when configuring SSO in the Instabase backend:

Parameter Description Value
AUTH_TYPE Defines the authentication type. saml
SAML_SP_ENTITY_ID The entity ID value set in the IdP. An exact match between this value and the entity ID set in the IdP is required.

Corresponds to the SP entity ID value.		 Typically {Your Instabase URL}. For example, https://dev.instabase.com.
SAML_SP_NAME The label associated with the Instabase entity in the IdP.

Corresponds to the SP name value.		 Typically InstabaseSP.
SAML_REQUIRED_ATTRIBUTES The required attributes (claims) provided to Instabase by the IdP.

Corresponds to the required attributes.		 Typically email, uid.
SAML_OPTIONAL_ATTRIBUTES The optional attributes (claims) provided to Instabase by the IdP.

Corresponds to the optional attributes.		 Typically groups, if group mapping is used.
SAML_HTTP_ACS_URL The https access consumer service (ACS) URL where the IdP redirects after the user successfully authenticates.

Corresponds to the Assertion consumer service (ACS) URL value.		 Typically https://{Your Instabase URL}/account/sso/saml2.
SAML_HTTPS_ACS_URL The http access consumer service (ACS) URL where the IdP redirects after the user successfully authenticates.

Corresponds to the Assertion consumer service (ACS) URL value, but with an http:// scheme.		 Typically http://{Your Instabase URL}/account/sso/saml2.
AUTH_PROVIDER Defines how the IdP metadata XML is provided.

Determined by the chosen IdP metadata XML setup.		 - local: IdP metadata XML is referenced locally.
- remote: IdP metadata XML is referenced remotely, on the IdP metadata server.
AUTH_PROVIDER_URI The location of the IdP metadata XML.

Determined by the chosen IdP metadata XML setup.		 If auth-provider is local: The local file path to the metadata.xml file mounted to webapp in the Instabase deployment.
If auth-provider is remote: The endpoint URL where the IdP metadata XML is hosted on the IdP metadata server.

In addition to the parameters that must be manually defined according to the IdP-provided values, the following parameters are also set. These parameters are typically used with their default value. Refer to the default values to understand if an SP default value is conflicting with an IdP-defined value.

Parameter Description Instabase default value
SAML_ALLOW_UNSOLICITED For SP instances, if set to true, the SP will consume unsolicited SAML responses for which it has not sent a respective SAML Authentication Request. True
SAML_AUTHN_REQUESTS_SIGNED For SP instances, indicates if the Authentication Requests sent by this SP should be signed by default. False
SAML_LOGOUT_REQUESTS_SIGNED Indicates if this entity will sign the Logout Requests originated from it. True
SAML_WANT_ASSERTIONS_SIGNED Indicates that the assertions contained within the response that is sent to this SP must be signed. True
SAML_WANT_RESPONSE_SIGNED Indicates that the Authentication Response to this SP must be signed. False

Sample service provider configurations

The following are sample configurations for how a SAML-based SSO configuration is defined in the Instabase backend. The configurations are in the form of patches that are applied using the Instabase Deployment Manager.

Two patches are applied: one that targets deployment-webapp and defines the SAML configuration parameters, and one that targets deployment-api-server to set the AUTH_TYPE as saml. Click to expand the sample patches.

In this patch configuration example, the IdP metadata XML is referenced remotely:

apiVersion: apps/v1
kind: Deployment
spec:
 template:
   spec:
     containers:
       - name: webapp
         env:
           - name: AUTH_PROVIDER
             value: "remote"
           - name: AUTH_PROVIDER_URI
             value: "https://saml.ib.com/app/sso/saml/metadata"
           - name: AUTH_TYPE
             value: "saml"
           - name: SAML_REQUIRED_ATTRIBUTES
             value: "email, uid"
           - name: SAML_OPTIONAL_ATTRIBUTES
             value: "groups"
           - name: SAML_GROUPS_DELIMITER
             value: ""
           - name: SAML_SP_ENTITY_ID
             value: "http://instabase-dev.ib.com/"
           - name: SAML_SP_NAME
             value: "InstabaseSP"
           - name: SAML_HTTP_ACS_URL
             value: "https://instabase-dev.ib.com/account/sso/saml2"
           - name: SAML_HTTPS_ACS_URL
             value: "http://instabase-dev.ib.com/account/sso/saml2"
           - name: SAML_ALLOW_UNSOLICITED
             value: "True"
           - name: SAML_AUTHN_REQUESTS_SIGNED
             value: "False"
           - name: SAML_LOGOUT_REQUESTS_SIGNED
             value: "True"
           - name: SAML_WANT_ASSERTIONS_SIGNED
             value: "True"
           - name: SAML_WANT_RESPONSE_SIGNED
             value: "False"

In this patch example, the IdP metadata XML is referenced locally, and the XML file is mounted as a Kubernetes secret.

apiVersion: apps/v1
kind: Deployment
spec:
 template:
   spec:
     containers:
       - name: webapp
         env:
           - name: AUTH_PROVIDER
             value: "local"
           - name: AUTH_PROVIDER_URI
             value: ""
           - name: AUTH_TYPE
             value: "saml"
           - name: SAML_REQUIRED_ATTRIBUTES
             value: "email, uid"
           - name: SAML_OPTIONAL_ATTRIBUTES
             value: "groups"
           - name: SAML_GROUPS_DELIMITER
             value: ""
           - name: SAML_SP_ENTITY_ID
             value: "http://instabase-dev.ib.com/"
           - name: SAML_SP_NAME
             value: "InstabaseSP"
           - name: SAML_HTTP_ACS_URL
             value: "https://instabase-dev.ib.com/account/sso/saml2"
           - name: SAML_HTTPS_ACS_URL
             value: "http://instabase-dev.ib.com/account/sso/saml2"
           - name: SAML_ALLOW_UNSOLICITED
             value: "True"
           - name: SAML_AUTHN_REQUESTS_SIGNED
             value: "False"
           - name: SAML_LOGOUT_REQUESTS_SIGNED
             value: "True"
           - name: SAML_WANT_ASSERTIONS_SIGNED
             value: "True"
           - name: SAML_WANT_RESPONSE_SIGNED
             value: "False"
         volumeMounts:
           - name: saml-metadata
             mountPath: /etc/secrets/saml
             readOnly: true
     volumes:
       - name: saml-metadata
         secret:
           secretName: saml-metadata

This patch sets the AUTH_TYPE as saml in deployment-api-server.

apiVersion: apps/v1
kind: Deployment
spec:
 template:
   spec:
     containers:
       - name: api-server
         env:
           - name: AUTH_TYPE
             value: "saml"