SAML-based Single Sign-On
Set up by: Company Admin
Teams on the Company plan can set up SAML-based single sign-on (SSO), giving your team members access to RealtimeBoard through an identity provider (IdP) of your choice. You can choose a SAML 2.0 Identity Provider (IdP) to set up authentication within your secure network.
Once SSO is enabled for the Company account, the Company members cannot:
- log into RealtimeBoard using the standard authorization procedure. SSO login form and identity provider credentials must be used instead.
- edit their names, emails or profile pictures in RealtimeBoard. These data are attributed by your identity provider. Any changes must be perfomed on the side of the identity provider and then on the RealtimeBoard side (please reach out to our support team for assistance) before an end-user tries to employ them with RealtimeBoard.
As a general rule, the user is redirected to the login page managed by your identity provider when trying to access RealtimeBoard in their browser (Service Provider initiated SSO). The authorization procedure is switched to SSO on the user profile level. This means that if you have users who are members of several RealtimeBoard accounts/teams, they will need to use the same corporate credentials to access all RealtimeBoard accounts.
Feel free to use any identity provider of your choice. For an easy way to configure SAML in a couple of clicks here are some preset IdPs:
It is strongly recommended to configure the feature in incognito mode of your browser. This way you keep the session in the standard window, allowing you to switch of the SSO authorisation in case something is configured incorrectly. If you wish to set up a test account before enabling SSO on production, please request it with your Account Executive or reach out to firstname.lastname@example.org for assistance.
Step 1: Configure your identity provider
First, go to your identity provider's configuration panel and follow the provider's instructions to configure Single Sign-On. Please note, that RealtimeBoard uses SAML 2.0 with the HTTP Redirect binding for SP to IdP and expects the HTTP Post binding for IdP to SP.
Depending on the identity provider you may have more fields to be filled out but those can be skipped (for instance, some providers may ask for Entity ID which RealtimeBoard does not employ). Here are all the obligatory SAML parameters you'll need:
• the launch/service URL: https://realtimeboard.com/sso/saml
• the NameID containing the user’s email address
• additional attributes to be sent with the SAML assertion: FirstName, LastName
• a signed SAML assertion
Define these data in your identity provider will have all the necessary information for a successful SSO procedure.
You may also set the ProfilePicture attribute if you wish, it will then be translated to the RealtimeBoard user profile as well. ProfilePicture attribute should have the base64 encoded format.
Step 2: Enable SSO/SAML in RealtimeBoard
To establish the connection between RealtimeBoard and your chosen identity provider you will need to upload your meta-data to the RealtimeBoard system and not vice-versa.
To enable SSO for your RealtimeBoard company, go to the Settings > Security and specify the following values:
1. SAML 2.0 Endpoint URL (HTTP)
2. Public Key x.509 Certificate
3. The list of domains allowed to authenticate via your SAML server. Public domains (e.g. @gmail.com, @outlook.com, etc.) are not allowed
If you want to test SSO without affecting other users of your domain please contact email@example.com to create a test account for you. Only those who configure SSO will be added to this test account.
Step 3: Configure Just In Time Provisioning for new users (optional)
To enable this option, tick the box and choose a team. All newly registered users from the listed domains will be automatically added right to your Company Account to this particular team. Thus, they can use RealtimeBoard from the very start, without waiting for someone to invite them to the team. We also adjust new users' onboarding flow to make sure they are not lost in creating trial team accounts.
Enable SSO/SAML page in the team account settings
Possible Issues and How to Resolve them
If your company is changing its domain name and therefore the email addresses of the end users need a change of their SSO credentials please reach out to our support team for assistance.