Configuring SAML SSO

Instructions on how to configure SAML SSO between your Identity Provider and Air.

Tyler Strand avatar
Written by Tyler Strand
Updated over a week ago

Who can set up SAML SSO?

👨‍👩‍👧‍👦 Supported on any Enterprise Air plan

✏️ Anyone with admin access to the workspace

🔐 Quick tip!

SAML SSO is only available for workspaces on an Enterprise plan. Contact Air's sales team to learn more.

Air provides Single Sign-On (SSO) functionality for enterprise customers to access the app through a single authentication source. This allows IT administrators to better manage team access and keeps information more secure.

Before reading this configuration guide, make sure to familiarize yourself with SAML SSO.

There are 3 steps to configuring SAML SSO on your Air workspace:

Once these steps are complete, your users can login to Air at https://app.air.inc/saml-sso-login. Keep in mind, we do not support “IdP-initiated authentication” at this time, so users cannot login to Air directly from your IdP.

If your users are unable to login after you’ve completed the steps in this guide, contact support for help. You can reach our team using the chat bubble in the bottom right of this page, or email us at help@air.inc.

Creating a “SAML App” for Air in your Identity Provider

In order for your users to login to Air via SAML SSO, create a new “SAML Application” within your Identity Provider. The steps to do this are different in every IdP, but they will all require the values below.

SAML app configuration variables

These variables will be required during the basic setup of your SAML App for Air. They help establish the connection between Air and your IdP during a SAML authentication flow.

Name (varies across IdPs)

Value

Explanation

- Assertion Consumer Service (ACS) URL

https://auth.air.inc/saml2/idpresponse

This is the URL that your IdP will send its SAML request to after your user has authenticated with their credentials.

- Entity ID

- Service Provider Entity ID

- Audience Restriction

urn:amazon:cognito:sp:us-east-1_EbSzy11nS

This is the ID of Air’s authentication service. Your IdP needs it in order to send and receive SAML requests with Air.

- SAML Subject

- Unique User Identifier
- Name ID

{A unique ID for the user}

This is a unique ID for each user in your IdP’s directory. Most IdPs generate an ID themselves, which we suggest using.

For Azure, we recommend: user.objectid

For Okta, we recommend: String.toLowerCase(user. getInternalProperty('id'))

Important:

- Do not use an email address, as this may change in the future

- Do not use anything with capital letters

Additional SAML attributes

In addition to the variables above, you’ll need to provide a few additional “SAML attributes” which help Air identify the specific user who is attempting to authenticate. Don’t be misled by the long URLs for attributes names; that is the correct value for the name.

Name

Format

Value

Explanation

Unspecified

{User’s first name}

This is the first name of the user.

Unspecified

{User’s last name}

This is the last name of the user.

Unspecified

{User’s email}

This is the email address of the user. If they’ve already created an Air account with this email using email/password or another SSO provider, their accounts will be merged after their first SAML login.

Enabling SAML SSO in your Air workspace

Now that you’ve created a SAML App for Air in your Identity Provider, you’re ready to enable SAML SSO in your Air workspace.

  1. Navigate to your Workspace Settings → Security & Identity

  2. Paste your SAML App’s metadata URL into the “SAML Metadata URL” field

    This value should be provided by your IdP after you’ve created your SAML App. Make sure that the URL is accessible publicly. (Quick test: can you open the URL in an incognito window in your web browser?)

    If your IdP does not provide you with a metadata URL, contact Air support.

  3. Toggle on “Enable SAML SSO”

    Once this is enabled, your users will be able to log in to your workspace via SAML SSO.

  4. [Optional] Toggle on “Allow approved domains to automatically join your workspace”

    By adding your company’s email domain to the approved domain list, your users can login to your workspace without being explicitly added via email. As long as they have been granted access to Air within your IdP, they’ll be able to login.

  5. [Optional] Toggle on “Enforce SAML SSO”

    This will require that your users login via SAML SSO to access your workspace.

    Keep in mind, this will also prevent any users who are not in your IdP from accessing your workspace, even if they are added to the workspace as members via email.

Granting your users access to Air in your IdP

Once you’ve enabled SAML SSO on your workspace, you can now grant your users access to the application. This can be done within your IdP. Most IdPs support granting individual access, group access, or public access to all users in your IdP. You can choose the configuration that makes the most sense for your team.

Keep in mind, if you have not enabled “Approved Domains” on your workspace in Air, then your users will need to be invited to your workspace from Air via email in addition to being granted access in your IdP.


Congratulations! 🎉 You've successfully configured your Air workspace with SAML SSO! Users may now authenticate with your Identity Provider to access your Air workspace.

Did this answer your question?