Single Sign-On (SSO) Integration Using SAML

Introduction to SSO using SAML

Single Sign-On (SSO) using Security Assertion Markup Language (SAML) is an authentication method that allows users to access multiple applications with a single set of login credentials. At Spatial, we're excited to offer this feature to our valued enterprise subscription customers, enhancing security and streamlining the login process.

How It Works

When a user attempts to access Spatial, they are redirected to your organization's identity provider for authentication. Once authenticated, the identity provider sends a SAML assertion to Spatial, confirming the user's identity and permissions. Spatial then grants access based on this assertion, eliminating the need for a separate login process.

Getting Started

To integrate your login system with Spatial using SAML:

1. Ensure you have an active Spatial Enterprise subscription.
2. Open a ticket to our Support team to initiate the SSO setup process. Please provide the following information:
   
   1. Email Subject: SSO Setup Request
   2. Domain which you want to administer accounts for
   3. Entity ID
   4. SSO URL
   5. Service Provider Certificate
3. Configure your IdP with Spatial's service provider details
   1. Callback URL : https://www.spatial.io/api/__/auth/handler
   2. Setting to include email address on SAML response

{
"mappings": {
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
},
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
]
}

Optionally for some identity providers, you may need to set:
- Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
- ProtocolSupportEnumeration: urn:oasis:names:tc:SAML:2.0:protocol
- NameId: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Support

If you're a Spatial Enterprise subscriber and need help setting up SSO, please contact our Support team at Support@Spatial.io.