Configuring SAML for your Holaspirit organization will let you and all your teammates log in to Holaspirit using the credentials stored in your organization’s Active Directory, LDAP, or other identity store that has been configured with a SAML Identity Provider.

Administrators only have access to these settings.

1. Activate SAML authentication for your organization on your Holaspirit

To activate SAML authentication, please follow these steps:

  • Click on your profile icon at the bottom of the left-hand navigation menu
  • Click Administration
  • In the Settings section, click Authentication
  • Toggle the switch on the right side to activate SAML

2. Configure SAML

Manage your user logins by customizing the login policy for specific domains.

From the first section:

  • Add the domain names for which the authentication settings apply. Domains cannot be saved without having configured the connection with your identification provider (IdP).

Before enabling SSO for your organization, you’ll need to connect your IdP to your organization.

  • Select the SAML authentication in the dropdown menu
  • Fill out the Issuer URL (aka - SAML Entity ID), SSO Endpoint (where you go to login, aka - SAML Single Sign-On Service URL), SLO Endpoint (the URL when you logout), and the Certificate (provided by your IDP, it must be in PEM format, such as in the below image)
  • Click Save

For Okta users

In Single Sign On URL, you need to write the ACS. It looks like: https://app.holaspirit.com/api/public/organizations/********/social/saml/acs)

In Audience URL, you need to write the URL of the metadata.

In the settings of you app, in General, SAML settings, be sure to add the following attribute statements:

For MS Azure, you can read the documentation.

Enforced SAML SSO

Organization owners and admins can enforce SAML SSO so that all organization members that are concerned with the set up domains, must authenticate via an identity provider.

If you require enforced SAML SSO authentication, all users must log in with SAML. An existing username/password or Google OAuth login does not work. This ensures that all users with access to Holaspirit must have valid credentials in your company’s identity provider/directory service to access your organization in Holaspirit.

Users who use other domains can log in with username/ password or Google OAuth.

Enforced SAML consequences:

  • Users cannot switch to other organizations or create a new organization from the same email address. If users want to access another organization, they first have to logout and connect with the desired authentication method.
  • For more security, users won’t be able to edit their email address in their profile settings.
  • If enforced SAML is activated, users will be redirected to the login page of your IdP if they try to connect using the wrong authentication mode or if they try to reset their password.

Account provisioning

A user is created within Holaspirit directly the first time they log in via SAML. This eliminates the need for administrators to manually create user accounts one at a time. This greatly simplifies the integration work and increases the security for your organization.

When users log in for the first time:

  • Users connect with their professional email address for which the domain(s) has been configured e.g. @holaspirit.com
  • The IdP login page opens
  • Users are redirected to Holaspirit homepage

If the number of licenses is not sufficient, then the user will be created as inactive. A platform administrator can change the user's privilege to member or administrator later on.

If you wish to set up Google Authentication, see this article.

Did this answer your question?