Air provides Single Sign-On (SSO) functionality for enterprise customers to access the app through a single authentication source. This allows IT administrators to better manage team access and keeps information more secure
SAML (Security Assertion Markup Language) is a standard that permits identity managers to safely pass authorization credentials to service providers like Air. In a SAML SSO set up, the identity provider (Azure, Okta, etc) manages the organization's user accounts and credentials. The service provider (Air) is the app or website that provides services to the user or organization.
When using SAML SSO, Air won't store passwords for any accounts managed by Single Sign On. Members log in to the organization via their identity provider.
How SAML SSO works:
Member attempts to log in to Air via SAML SSO
Air sends a SAML request to the identity provider
The identity provider checks this member's credentials
The identity provider sends a response to Air to verify the member's identity
Air accepts the response and logs the member into their Air account
Workspace settings and
Security & Identity to view your workspace's SAML SSO configuration options.
Email domains: add your organization's email domains to the approved domains list to allow users with these domains to authenticate using SAML SSO.
Single sign-on URL: Copy this to use when setting up your Identity Provider. This will need to be done during your IdP setup.
IDP metadata URL/XML: enter the URL provided by your Identity Provider here. This will need to be done during your IdP setup.
Ensure that when using SAML SSO, the toggle is enabled. When enabled, you have the option to enforce SAML SSO. This requires that anyone who attempts to log in to the workspace will need to do so via SAML SSO.
Identity Provider (IdP) Setup
These are instructions for setting up Air SAML SSO with Okta and Azure Active Directory. If you use a different Identity Provider and need assistance with configuration, please contact our support team.
This process involves adding an application to your identity provider, creating the SAML integration, and assigning users to the application. Along the way, your identity provider will provide you with a Metadata URL – an XML link that Air uses to connect your identity provider, and authenticate users when they log in.
Step 1: Add the Air app from Okta's application directory
Log in to Okta as an administrator, and go to the Okta Admin console
Expand Applications on the side menu and click the “Applications” link.
Click the “Create App Integration” button. *NOTE: Do not use the pre-configured Air integration as this app is currently being updated, but is in review with Okta.
Select SAML 2.0 and click “Next”
Under “General Settings”,
provide an App name like “Air”
upload a logo if desired. You can use the logo here if you'd like.
For Best Results, use a PNG image with
Minimum 420px by 120px to prevent upscaling
and hit “Next”
On the next step, labeled “Configure SAML”:
SAML Settings / General (text below the image so you can copy/paste):
Single sign on URL: **https://auth.air.inc/saml2/idpresponse**
Audience URI (SP Entity ID): urn:amazon:cognito:sp:us-east-1_EbSzy11nS
Default RelayState: leave blank
Name ID format: Unspecified
Application username: Custom
For the Expression field, enter:
Update application username on: Create and update
Group Attribute Statements - leave blank
Preview the SAML assertion generated from the information above
When setting up the app, the preview shows you placeholders like “userName” and “user.firstName” in the XML, which makes reviewing unhelpful. Once you have created the app, if you assign yourself to it, you can go back and preview and it is much more informative because it will show how your user info would get mapped over. If you have any issues, this info can be helpful to Air to help debug any problems.
7. On the final step, “Feedback”:
Select the options:
I'm an Okta customer adding an internal app
This is an internal app that we have created
On the “Sign On” tab, scroll down to “SAML Signing Certificates”. Use the “Actions” dropdown and select “View IdP metadata”. Either click that link and copy the URL from your browser address bar OR right-click on it and choose “Copy Link Address”.
Step 2: Update Your Air Workspace with the address of your Idp metadata file
Paste the IdP metadata URL that you copied in the previous step and paste the value in the “SAML metadata URL” field. The URL should be in the format “https://<your-okta-domain>/app/<app-entity-id>/sso/saml/metadata”.
Note: The Single sign-on URL is not needed for an Okta integration. You can use that link anytime you want to send employees directly to your SAML login (e.g. on a company portal page).
Step 3: Assign users to the Air app
Now you can start assigning users to the application. As part of this process, you may be asked to provide additional information about each user.
In Okta, navigate to Assignments tab and click
You've successfully configured your Air workspace for SAML SSO with Okta! Users may now authenticate with your Identity Provider to access your Air workspace.
Azure (Active Directory)
Step 1: Create a new application integration
Sign in to the Azure portal. On the left navigation pane, select the
Azure Active Directory service.
Navigate to the
Enterprise Applicationspage and select
Search for Air in the "All applications" directory and select it
Step 2: Create a SAML integration
On your new 'Air' applications home page, navigate to
Single sign-onand choose the
Editto modify Basic SAML Configuration and enter the following values before selecting
Identifier (Entity ID) * -
Reply URL * -
Sign on URL * - copy this from
Security & Identitysettings in Air
* note that adding a Sign on URL allows for Identity Provider (IdP) initiated access to Air, meaning users can log in to Air from the Azure portal
On the Single Sign-on screen, select
Attributes & Claimsand click on the ‘Unique User Identifier (Name ID)’ row to edit this Claim name’s value:
Set the Source attribute value to ‘user.objectid’ and select ‘Persistent’ for the Name identifier format.
On the Single Sign-on screen, copy the
App Federation Metadata Urland paste it into the
SAML Metadata URL*input in your
Security & Identitysettings in Air
Step 3: Assign users to the Air app
Users and Groupsand click
None Selectedand click to add users from the action menu. Select the
Selectoption to confirm your selection.
Verify the selected users count and select
Assignat the bottom of the screen
Step 5: Test the integration
Navigate back to the Single sign-on screen and select
Sign in as current useroption and select
Test sign into confirm that Identity Provider (IdP) initiated sign in is working.
You've successfully configured your Air workspace with SAML SSO! Users may now authenticate with your Identity Provider to access your Air workspace.
Logging in with SAML SSO
With SAML SSO enabled for your workspace, your organization can start authenticating in a number of different ways.
Option 1: Service Provider (SP) initiated access
To authenticate with SAML SSO from Air (Service Provider), start by navigating to
air.inc/loginand selecting the
Continue with SAML SSO option.
Type the email address tied to your organization's domain. You will be prompted to authenticate with your Identity Provider (IdP) and routed back to your organization's Air workspace.
Option 2: Identity Prover (IdP) initiated access
Users in your organization can also access your Air workspace from within your Identity Provider (IdP) if they so choose.
Navigate to https://myapps.microsoft.com/ and log in to your Microsoft account
Select the 'Air' application to be routed to your organization's Air workspace
Still have more questions? Send us a message.