Air provides Single Sign-On (SSO) functionality for enterprise customers to access the app through a single authentication source. This allows IT administrators to better manage team access and keeps information more secure

SAML (Security Assertion Markup Language) is a standard that permits identity managers to safely pass authorization credentials to service providers like Air. In a SAML SSO set up, the identity provider (Azure, Okta, etc) manages the organization's user accounts and credentials. The service provider (Air) is the app or website that provides services to the user or organization.

When using SAML SSO, Air won't store passwords for any accounts managed by Single Sign On. Members log in to the organization via their identity provider.

How SAML SSO works:

  1. Member attempts to log in to Air via SAML SSO

  2. Air sends a SAML request to the identity provider

  3. The identity provider checks this member's credentials

  4. The identity provider sends a response to Air to verify the member's identity

  5. Air accepts the response and logs the member into their Air account

⚠️ Note that SAML SSO is only available for workspaces on an Enterprise plan.
Contact sales to learn more.

Air Setup

Navigate to Workspace settings and Security & Identity to view your workspace's SAML SSO configuration options.

  1. Email domains: add your organization's email domains to the approved domains list to allow users with these domains to authenticate using SAML SSO.

  2. Single sign-on URL: Copy this to use when setting up your Identity Provider. This will need to be done during your IdP setup.

  3. IDP metadata URL/XML: enter the URL provided by your Identity Provider here. This will need to be done during your IdP setup.

Ensure that when using SAML SSO, the toggle is enabled. When enabled, you have the option to enforce SAML SSO. This requires that anyone who attempts to log in to the workspace will need to do so via SAML SSO.

Identity Provider (IdP) Setup

These are instructions for setting up Air SAML SSO with Okta and Azure Active Directory. If you use a different Identity Provider and need assistance with configuration, please contact our support team.

This process involves adding an application to your identity provider, creating the SAML integration, and assigning users to the application. Along the way, your identity provider will provide you with a Metadata URL – an XML link that Air uses to connect your identity provider, and authenticate users when they log in.

Okta

Step 1: Add the Air app from Okta's application directory

  1. Log in to Okta as an administrator, and go to the Okta Admin console

  2. Expand Applications on the side menu and click the “Applications” link.

  3. Click the “Create App Integration” button. *NOTE: Do not use the pre-configured Air integration as this app is currently being updated, but is in review with Okta.

  4. Select SAML 2.0 and click “Next”

  5. Under “General Settings”,

    1. provide an App name like “Air”

    2. upload a logo if desired. You can use the logo here if you'd like.

      • For Best Results, use a PNG image with

        • Minimum 420px by 120px to prevent upscaling

        • Landscape orientation

        • Transparent background

    3. and hit “Next

  6. On the next step, labeled “Configure SAML”:

    1. SAML Settings / General (text below the image so you can copy/paste):

      • Single sign on URL: **https://auth.air.inc/saml2/idpresponse**

      • Audience URI (SP Entity ID): urn:amazon:cognito:sp:us-east-1_EbSzy11nS

      • Default RelayState: leave blank

      • Name ID format: Unspecified

      • Application username: Custom

        • For the Expression field, enter:

          • String.toLowerCase(user. getInternalProperty('id'))

      • Update application username on: Create and update

      • Attribute Statements

  • Group Attribute Statements - leave blank

  • Preview the SAML assertion generated from the information above

    • When setting up the app, the preview shows you placeholders like “userName” and “user.firstName” in the XML, which makes reviewing unhelpful. Once you have created the app, if you assign yourself to it, you can go back and preview and it is much more informative because it will show how your user info would get mapped over. If you have any issues, this info can be helpful to Air to help debug any problems.

    • Click Next

7. On the final step, “Feedback”:

  • Select the options:

    • I'm an Okta customer adding an internal app

    • This is an internal app that we have created

  • On the “Sign On” tab, scroll down to “SAML Signing Certificates”. Use the “Actions” dropdown and select “View IdP metadata”. Either click that link and copy the URL from your browser address bar OR right-click on it and choose “Copy Link Address”.

Step 2: Update Your Air Workspace with the address of your Idp metadata file

Paste the IdP metadata URL that you copied in the previous step and paste the value in the “SAML metadata URL” field. The URL should be in the format “https://<your-okta-domain>/app/<app-entity-id>/sso/saml/metadata”.

Note: The Single sign-on URL is not needed for an Okta integration. You can use that link anytime you want to send employees directly to your SAML login (e.g. on a company portal page).

Step 3: Assign users to the Air app

Now you can start assigning users to the application. As part of this process, you may be asked to provide additional information about each user.

  • In Okta, navigate to Assignments tab and click Add user/group

Congratulations! 🎉

You've successfully configured your Air workspace for SAML SSO with Okta! Users may now authenticate with your Identity Provider to access your Air workspace.

Azure (Active Directory)

Step 1: Create a new application integration

  1. Sign in to the Azure portal. On the left navigation pane, select the Azure Active Directory service.

  2. Navigate to the Enterprise Applications page and select New application

  3. Search for Air in the "All applications" directory and select it

Step 2: Create a SAML integration

  1. On your new 'Air' applications home page, navigate to Single sign-on and choose the SAML option.


  2. Select Edit to modify Basic SAML Configuration and enter the following values before selecting Save.

    • Sign on URL * - copy this from Security & Identity settings in Air

      * note that adding a Sign on URL allows for Identity Provider (IdP) initiated access to Air, meaning users can log in to Air from the Azure portal

  3. On the Single Sign-on screen, select Edit to modify Attributes & Claims and click on the ‘Unique User Identifier (Name ID)’ row to edit this Claim name’s value:

    Set the Source attribute value to ‘user.objectid’ and select ‘Persistent’ for the Name identifier format.


  4. On the Single Sign-on screen, copy the App Federation Metadata Url and paste it into the SAML Metadata URL* input in your Security & Identity settings in Air


Step 3: Assign users to the Air app

  1. Navigate to Users and Groups and click Add user/group


  2. Select None Selected and click to add users from the action menu. Select the Select option to confirm your selection.


  3. Verify the selected users count and select Assign at the bottom of the screen

Step 5: Test the integration

  1. Navigate back to the Single sign-on screen and select Test


  2. Choose the Sign in as current user option and select Test sign in to confirm that Identity Provider (IdP) initiated sign in is working.

Congratulations! 🎉

You've successfully configured your Air workspace with SAML SSO! Users may now authenticate with your Identity Provider to access your Air workspace.

Logging in with SAML SSO

With SAML SSO enabled for your workspace, your organization can start authenticating in a number of different ways.

Option 1: Service Provider (SP) initiated access

  1. To authenticate with SAML SSO from Air (Service Provider), start by navigating to air.inc/login and selecting the Continue with SAML SSO option.

  2. Type the email address tied to your organization's domain. You will be prompted to authenticate with your Identity Provider (IdP) and routed back to your organization's Air workspace.

Option 2: Identity Prover (IdP) initiated access

Users in your organization can also access your Air workspace from within your Identity Provider (IdP) if they so choose.

  1. Navigate to https://myapps.microsoft.com/ and log in to your Microsoft account

  2. Select the 'Air' application to be routed to your organization's Air workspace

Still have more questions? Send us a message.

Did this answer your question?