SAML
Team plan subscribers can opt to enable SAML for their workspace.
Overview
Opine supports currently supports Okta, Google Workspace, and Microsoft Azure AD. Additionally, we provide a generic auth provider for SAML2 based authentication with your Identity Provider (IdP).
Note that once SAML is enabled, all members of your organization must log in via SAML.
Opine currently does not support IdP-initiated authentication.
Default Membership
Every member who creates a new account via SAML SSO will be given editor access to your organization.
Configure
Upgrade to a Team plan
To enable SAML, you'll need to upgrade to a Team plan. Please get in touch with support@tryopine.com to upgrade.
Configuration
Opine offers a self-serve SAML configuration available at https://app.tryopine.com/settings/security. From here, you can add your organization's apex domain and verify ownership. To verify ownership, you must add a TXT record to your domain. A verification token will be provided after you add the domain to your organization. Once the record is added, return to Opine and trigger verification.
Note: DNS propagation may take between 24 and 48 hours.
Once you've verified your domain, you can create a SAML Connection to your IdP. Once created, you'll find in the Service Provider Configuration section some fields to add to your Identity Provider's application:
SP Entity ID - This is a unique identifier for your SAML connection that your Identity Provider application needs.
ACS URL - This is your application’s URL that your provider will redirect your users to after they have authenticated.
Scroll down to the Identity Provider Configuration section, and you will see the following empty fields:
SSO URL - This is your IdP's URL that we’ll redirect your users to so that they can authenticate.
Entity ID - This is the unique identifier of your IdP's application.
Certificate - This is the certificate we need to securely connect to your Identity Provider.
Retrieve those values from your IDP and save the configuration.
Lastly, you will need to map your Identity Provider's claims to our email , firstName, and lastName fields.
Enabling the connection
You can begin testing your SAML connection once you've saved the configuration data.
Although Opine does not support IdP-initiated authentication, you can still use the flow to test the connection before enabling the connection for your organization. You'll still receive feedback from our application when attempting to log in via the IdP-initiated login. The SAML connection should be ready if you see a response stating that the RelayState parameter is missing from the SAML response.
Enabling the SAML Connection will not log out any member currently logged in. However, they must use SAML to regain access the next time they log in.
If you run into issues with your SAML configuration, please reach out to support@tryopine.com for assistance.
Last updated