Learn how to get more out of Beamo with Plans and Packs.
Introduction
This article details the necessary steps for configuring and using Beamo's SAML SSO with any Identity Provider. The setup includes steps on the Identity Provider’s side (IdP), as well as on the Service Provider’s side, which is Beamo.
Beamo allows limiting SSO to certain domains to allow external collaborators to join a space. The organization using SSO can define one or several domains it requires to use SSO.
Who can use this feature?
Super Admin | Site Manager | Team Admin | Surveyor | Collab- orator |
Viewer | |
Setup SAML SSO |
Setting up SAML SSO
Configuring the Identity Provider
Each Identity Provider varies in the steps necessary to set up a SAML SSO configuration or application. Please refer to the provider-specific articles to get a better understanding of the settings and terms they use in their configuration flows.
Note: Providers’ configuration instructions are outlined here. For more detailed configuration instructions, please contact the respective ID provider.
- Google SAML SSO configuration
- *AWS SAML SSO configuration
- Azure SAML SSO configuration
- Okta SAML SSO configuration
Note: *AWS ID provider will be available in a future release.
Configuring Beamo
The SSO configuration is located in the Settings of Beamo.
- Beamo → Settings → Security
Click “Enable SAML SSO” to start the process.
Service Provider Configuration
The Service Provider Configuration defines the format of SAML requests.
Field | Description |
SP Entity ID |
The Beamo endpoint for authentication requests. |
SAML 2.0 Metadata URL |
Metadata URL for the Beamo endpoint. |
Assertion Consumer Service (ACS) URL |
Location where the SAML assertion is sent from the IdP. |
Want Assertions Signed |
Condition where Beamo expects SAML assertions to be signed. By default, SAML Apps will sign SAML assertions, so you may check this box. |
Validate Certificates |
Check this box when using trusted and valid certificates from your IdP through a trusted CA. |
Identity Provider Configuration
The Identity Provider Configuration defines the format to expect for SAML responses. This information is found when setting up the SAML SSO configuration at the Identity Providers side.
Field | Description |
Entity ID |
(Required) Address or URL of your Identity Server or the IdP Entity ID. |
Single Sign On Service URL |
SSO URL issued by your IdP. |
Single Log Out Service URL |
(Optional) SSO Logout URL issued by your IdP. |
X509 Public Certificate |
(Required) The X.509 Base-64 encoded certificate body. Do not include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines or portions of the CER/PEM formatted certificate. Extra spaces, carriage returns, and other extraneous characters inside this field will cause certificate validation failure. Copy only the certificate data into this field. |
Allowed domains
Specify the email domains which are allowed to authenticate with SAML SSO. Add one domain per field. If the users log in with name@example.com, the domain to be entered is example.com.
Test & Save
After the tests are successful, [Save] the configuration, and SSO will be enabled.