General setup of SAML SSO is available as part of the Beamo Plan(s) Enterprise.
Learn how to get more out of Beamo with Plans and Packs.


This article details the necessary steps for configuring and using Beamo's SAML SSO with any Identity Provider. The setup includes steps on the Identity Provider’s side (IdP), as well as on the Service Provider’s side, which is Beamo.

Beamo allows limiting SSO to certain domains to allow external collaborators to join a space. The organization using SSO can define one or several domains it requires to use SSO.

Who can use this feature?

  Super Admin Site Manager Team Admin Surveyor Collab-
Setup SAML SSO check_mark_32.png minus_32.png minus_32.png minus_32.png minus_32.png minus_32.png

Setting up SAML SSO

Configuring the Identity Provider

Each Identity Provider varies in the steps necessary to set up a SAML SSO configuration or application. Please refer to the provider-specific articles to get a better understanding of the settings and terms they use in their configuration flows.

Note: Providers’ configuration instructions are outlined here. For more detailed configuration instructions, please contact the respective ID provider.

Note: *AWS ID provider will be available in a future release.

Configuring Beamo

The SSO configuration is located in the Settings of Beamo.

  • Beamo → Settings → Security

Click “Enable SAML SSO” to start the process.

Service Provider Configuration

The Service Provider Configuration defines the format of SAML requests.

Field Description

SP Entity ID

The Beamo endpoint for authentication requests.

SAML 2.0 Metadata URL

Metadata URL for the Beamo endpoint.

Assertion Consumer Service (ACS) URL

Location where the SAML assertion is sent from the IdP.

Want Assertions Signed

Condition where Beamo expects SAML assertions to be signed. By default, SAML Apps will sign SAML assertions, so you may check this box.

Validate Certificates

Check this box when using trusted and valid certificates from your IdP through a trusted CA.

Identity Provider Configuration

The Identity Provider Configuration defines the format to expect for SAML responses. This information is found when setting up the SAML SSO configuration at the Identity Providers side.

Field Description

Entity ID

(Required) Address or URL of your Identity Server or the IdP Entity ID.

Single Sign On Service URL

SSO URL issued by your IdP.

Single Log Out Service URL

(Optional) SSO Logout URL issued by your IdP.

X509 Public Certificate

(Required) The X.509 Base-64 encoded certificate body. Do not include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines or portions of the CER/PEM formatted certificate.

Extra spaces, carriage returns, and other extraneous characters inside this field will cause certificate validation failure. Copy only the certificate data into this field.

Allowed domains

Specify the email domains which are allowed to authenticate with SAML SSO. Add one domain per field. If the users log in with, the domain to be entered is


Test & Save

After the tests are successful, [Save] the configuration, and SSO will be enabled.


Was this article helpful?
1 out of 1 found this helpful