Configure SSO/SAML on Start.me
Updated over a week ago

Using SAML you can streamline access to Start.me, by enabling users to log in with their existing work accounts. Whether you're utilizing Okta, OneLogin, JumpCloud, Azure ADFS, or another IdP, integration is straightforward.

What is SAML?

SAML is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. This integration provides single sign-on for SAML and Start.me, allowing you to use your SAML credentials to authenticate in Start.me.

okta7.png



Step 1: Add new IdP (Identity Provider) to Start.me

To configure a new SAML2 integration, the administrator can go to the Enterprise Admin Panel → Authentication → Single Sign-On (SSO) → click "Add".

While adding a new IdP you can select one of the popular IdP's:


Step 2: Configure Start.me as an application in your IdP

Some IdPs allow you to automatically configure the SAML2 integration by a metadata file. You can get the Start.me metadata file by going to the Metadata URL mentioned below.

Metadata URL

https://yourteamdomain].start.me/users/auth/saml2/metadata?id=[auth-id]

Callback/ACS URL

https://[yourteamdomain].start.me/users/auth/saml2/callback?id=[auth-id]

Recipient

https://[yourteamdomain].start.me/users/auth/saml2/callback?id=[auth-id]

EntityID

startme

Required attributes

  • name

  • email

  • groups (optional, for team mapping)

Example SAML-envelope:

saml_correct.png


Step 3: Configure IdP in Start.me

Go to Enterprise Admin Panel Authentication → and click "Configure" next to the IdP you created in step 1. Here you can upload the metadata file generated by the IdP. The following fields need to be specified:

  • SAML 2.0 Endpoint (HTTP)

  • IdP Entity ID

  • Public Certificate

sso_sidebar.png


Change the label of the login button

Finally, you can configure the look and feel of the Login button that will be shown to users on the sign-in screen of your team portal.

previewbutton_idp.png



Test the login flow

After you have configured your IdP, you can test the login flow by clicking "Open test page" in the menu.

test1.png

This will open a new browser window with test instructions. You will need to copy the URL and open it in a new Incognito Window.

test2.png


Skip the login screen

After you configured your IdP, you can select it as the default login method and thereby bypass the Start.me login screen for your users. Instead of the Start.me login screen, users will immediately be redirected to the IdP login screen.

skip_the_login_screen.png


Automatically Enroll Users in the Right Enterprise Teams

You can effortlessly assign your Enterprise teams to members when they sign in through Single Sign-On (SSO). To set up this seamless process, follow these steps:

  1. Include a "groups" attribute in SAML: Ensure the SAML response includes a "groups" attribute indicating user group membership.

  2. Send us an email with the mapping of group names to your Start.me Enterprise teams.

Example Scenario:
When John Doe (john@doe.com) logs in via SSO, and his "groups" attribute shows 'Marketing' and 'Sales', we'll automatically place him in the 'Marketing Team' and 'Sales Team' as per your mapping."

saml_correct.png

Need assistance?

Please contact support@start.me for more information about getting SAML2 integrated on Start.me.

Did this answer your question?