Integrations

Set up SAML authentication + single sign-on (SSO)

Katya Bachrouche
Katya Bachrouche
Sr. Product Manager
Updated on
April 13, 2021

SAML-based single sign-on (SSO) gives your members access to Assembly through the identity provider (IdP) of your choice. When enabled, members will sign in directly through your identity provider using SSO.

Who can use this feature?

Only Admins can set up, edit, and disconnect SAML authentication and single sign-on. This admin must also have access to the identity provider’s (IdP) settings. The email address in the IdP as well as in Assembly for the admin and any member who joins must match

What to expect

  • Only one IdP can be connected at one time
  • Only Business and Enterprise plans can set up SAML authentication and SSO (NOTE: if you downgrade your plan to Team or Free you will lose your SAML connection)
  • Once you’ve configured your Assembly’s SAML, you (or any other Admins within your Assembly) can edit your connection settings or disconnect at any time

Enable SAML authentication

To get started, you’ll need to set up a SAML connection (or connector) for Assembly with your IdP.

  1. From my.joinassembly.com, click the Admin icon in the lower left corner of the left navigation bar.
  2. Click Security & Login in the left sidebar.
  3. Click SAML Authentication.
  4. Click Enable.
  5. Enter your SAML 2.0 Endpoint URL (HTTP). (This came from setting up your connector. If Okta is your IdP, you can include the IdP URL instead if you’d like.)
  6. Next to Identity Provider Issuer, enter your IdP Entity ID
  7. Copy the entire x.509 Certificate from your identity provider and paste it into the Public Certificate field.
  8. Configure the SAML portal in your IdP (see next section for more information)
  9. Next to Advanced Options, click Expand (NOTE: these options are not required). Choose how the SAML response from your IdP is signed. If you need an end-to-end encryption key, check the box next to Sign AuthnRequest to show the certificate.
  10. Under Settings, decide whether SAML authentication/SSO is required, partially-required* or optional.
  11. Click Test Configuration to test your settings.
  12. If you have any errors, you will need to correct them before you can save your configuration.
  13. Once you test your settings and there are no errors, click Enable SAML to save and enable your SAML authentication.

*If you have guest accounts (manually-invited members), we recommend choosing the option where SSO is either 1) Required, except for manually-invited members; or 2) Optionally-required, so manually-invited members can still sign in using their email address and password. For more information about manually-invited members, check out this help article.

Assembly portal configuration

Configure the Assembly app to appear in your IdP dashboard 

  1. Copy the service provider issuer URL and paste in your IdP 
  2. Copy the service provider callback URL and paste into your IdP
  3. Download the Assembly portal icons and upload them into your IdP 
  4. Ensure you have the proper parameters configured, see the table below: 

(NOTE: please ensure the NameID in your IdP is matched to the email address in Assembly; and make sure to call it Email) 


Edit your SAML configuration

  1. To make any edits or updates to your SAML configuration, click Edit.
  2. Clicking Cancel before testing and saving your changes will revert back to your original configuration.
  3. You must test your configuration before you can save your changes.
  4. Any saved changes will immediately apply.

Allow anyone with an account in your IdP to create an Assembly account

When turned on, this setting will allow anyone with access to Assembly in your IdP to create an Assembly account directly from your IdP by clicking on the Assembly card in your IdP dashboard. If the user already has an invitation in the pending, queued, or requested state, we will automatically create their Assembly account and they will no longer have a pending/queued/requested invitation.

When turned off, if a user clicks Assembly directly from your IdP they can request access to your Assembly account (their request will show up in the Requests tab in https://my.joinassembly.com/admin/users/invite).

What to expect when SAML authentication and SSO is enabled

Once you’ve set up SAML authentication, any members already signed in when SSO is enabled will remain signed in. All required members will receive an email prompting them to authenticate with SAML, except when SAML is optional for your Assembly.

Going forward, all members will sign in to Assembly with their IdP account. If you chose to require SSO, your members will see a sign-in page before they can access your Assembly.

Disabling SAML

If you would like to discontinue using SAML authentication for your Assembly account, you can disable it at any time.

  1. From my.joinassembly.com, click the Admin icon in the lower left corner of the left navigation bar.
  2. Click Security & Login in the left sidebar.
  3. Click SAML Authentication.
  4. Click edit.
  5. Click disable SAML.

What to expect after SAML authentication and SSO is disabled

Once you’ve set up SAML authentication, any members already signed in when SAML is disabled will remain signed in. Disabling SAML authentication will no longer require or give members the option to authenticate with your SAML platform. Disabling will clear your SAML settings and you will need to re-enter all of the information to set SAML authentication up again. 

Members of your Assembly will be prompted via email to either authenticate with an SSO, log in with email and password, or create/reset their password if they do not have one.