👉 SAML authentication is included with the Scale and Enterprise plans.

About SAML single sign-on

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, such as an identity provider and a service provider.

SAML for single sign-on (SSO) allows users to authenticate through your company's identity provider when they log in to Holaspirit. SSO allows a user to authenticate once and then access multiple products during their session without needing to authenticate with each. SSO only applies to user accounts from your verified domains.

If you manage users for a site with Google Workspace, check out this article.

Before you begin

Here's what you must do before you set up SAML single sign-on.

Make sure you're an admin for a Holaspirit organization.
Configuration is required in both system (Holaspirit and your IdP).

Available identity providers

Active Directory Federation Services (ADFS)
Auth0
Microsoft Azure Active Directory
Google Cloud Identity
Google Workspace
Okta
OneLogin
Ping Identity
Or any provider that follows the SAML 2.0 specification

Available SAML attributes

When you set up your identity provider, this is the SAML attributes you use:

Instructions	SAML Attribute	Map to your identity provider
Required	NameID	User’s email

Attributes mappings

In your IdP configuration you will have an "Attribute Mappings" section, that will tell which fields should be sent to Holaspirit.

Here is the list of fields that we will saved on Holaspirit:

Instructions	SAML Attribute	Values
Optional	privilege	"member" or "inactive"

Configure SAML SSO

Step 1: Copy details from your identity provider to your Holaspirit organization

From your organization, select Administration > Authentication.
Add domain(s) of your organization.

Select SAML in the drop down menu and add the SAML details you'll fill in the Identity Provider Login URL and the SAML Certificate provided by your SSO provider:

SAML details	Description	Example
Issuer URL (Identity provider Entity ID or Azure AD Identifier)	This value is a URL containing information about the IdP so the Service Provider can validate that the SAML assertions it receives are issued from the correct IdP.	https://sts.windows.net/636x24xx-xx22-4xx4-91x5-1621515278xx/
SSO Endpoint	This value defines the URL your users will be redirected to when logging in.	https://login.microsoftonline.com/636x24xx-xx22-4xx4-91x5-1621515278xx/saml2
SLO Endpoint		https://login.microsoftonline.com/636x24xx-xx22-4xx4-91x5-1621515278xx/saml2
Certificate	This value begins with '-----BEGIN CERTIFICATE-----'. This certificate contains the public key we'll use to verify that your identity provider has issued all received SAML authentication requests.

Save SAML configuration.

Once the information are saved, download the meta file. This page gives access to information required to set up the IdP.

Step 2: Copy URLs from your Holaspirit organization to your identity provider

Copy the URL in your IdP. Select Save in your identity provider when you copy the URLs.

The ACS (Assertion Consumer Service) should be : https://app.holaspirit.com/api/public/organizations/__your_organization_slug__/social/saml/acs
The SignOn URL should be : https://app.holaspirit.com/
The Relay state should be: https://app.holaspirit.com/api/public/organizations/__your_organization_slug__/social/saml/rs
Logout URL should be : https://app.holaspirit.com/api/public/organizations/__your_organization_slug__/social/saml/sls

The "__your_organization_slug__" part must match the one in your metadata URL.

For MS Azure, you can read the documentation : https://azure.microsoft.com/en-us/documentation/articles/active-directory-enterprise-apps-manage-sso/

Configure and enforce SAML single sign-on

SSO can be set up as either a convenience or required. If you enforce SSO, this will impact all Holaspirit users on your domains (the domains you defined in "Company domains" at the top of the page)

Use case: Forbid authentication with email / password to ensure users with access to Holaspirit must have valid credentials in the IdP to login.

To enforce SSO:

Login with SAML
Go to Administration > Authentication
Make sure SAML is configured in both system
Select Activate for all members

Enforced SSO is enabled.

Enforced SAML consequences:

Switching between different Holaspirit organisation is not available.
Users cannot create a new organization from the same email address.
Users cannot edit their email address. It is manage in the AD.
To access another organization, users must logout and login with the appropriate authentication method.
Users will automatically be redirected to the login page of the IdP when trying login with the wrong authentication mode or if they try to reset their password.

Administrator are not affected, and are always allowed to login with email and password.

For Okta users

In Single Sign On URL, add the ACS. It looks like: https://app.holaspirit.com/api/public/organizations/********/social/saml/acs)

In Audience URL, add the URL provided in the metadata file.

In the settings of your app, in General, SAML settings, be sure to add the following attribute statements.

How to login?

How do I change my email address?

How to configure Google Authentication?

How to introduce Holaspirit to your team (+ email template)

Automated user provisioning and de-provisioning (SCIM 2.0)