Using SAML you can streamline access to Start.me, by enabling users to log in with their existing work accounts. Whether you're utilizing Okta, OneLogin, JumpCloud, Azure AD FS, or another IdP, integration is straightforward.
What is SAML?
SAML is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. This integration provides single sign-on for SAML and Start.me, allowing you to use your SAML credentials to authenticate in Start.me.
Step 1: Add a new Identity Provider (IdP) to Start.me
To configure a new SAML2 integration, go to your Team admin panel → Authentication & SSO tab → SSO section → click Add.
While adding a new IdP you can select one of the popular IdP's:
Step 2: Configure Start.me as an application in your IdP
Some IdPs allow you to automatically configure the SAML2 integration by a metadata file. You can get the Start.me metadata file by going to the Metadata URL mentioned below.
Metadata URL | https://[yourteamdomain].start.me/users/auth/saml2/metadata?id=[auth-id] |
Callback/ACS URL | https://[yourteamdomain].start.me/users/auth/saml2/callback?id=[auth-id] |
Recipient | https://[yourteamdomain].start.me/users/auth/saml2/callback?id=[auth-id] |
EntityID | startme |
Required attributes |
|
Example SAML-envelope:
Step 3: Configure IdP in Start.me
Go to your Team admin panel → Authentication & SSO tab and click Change configuration (via the three-dot menu) next to the IdP you created in step 1. Here you can upload the metadata file generated by the IdP. The following fields need to be specified:
SAML 2.0 Endpoint (HTTP)
IdP Entity ID
IDP Certificate (X.509)
Signed requests (optional)
If your IdP requires signed SAML requests, check Sign request on the Setup SAML tab of the configuration sidebar. Start.me signs requests with RSA-SHA1, so make sure your IdP accepts requests signed with RSA-SHA1.
On the Configure IdP tab you can download the SP Certificate (X.509) and upload it to your IdP as a verification certificate. Use Regenerate to create a new certificate and private key. After regenerating, upload the new certificate to your IdP again.
Change the label of the login button
You can configure the look and feel of the Login button that will be shown to users on the sign-in screen of your team portal.
Test the login flow
After you have configured your IdP, you can test the login flow by clicking Open test page in the three-dot menu next to your IdP.
This will open a new browser window with test instructions. You will need to copy the URL and open it in a new Incognito Window.
Troubleshooting
If the test page shows an error message after you click the login button, here is what each message means:
"This SSO provider isn't fully configured yet: the IdP sign-in URL (SSO URL) is missing." The SAML 2.0 Endpoint (HTTP) field is empty. Open Change configuration → Setup SAML and upload your IdP metadata file, or fill in the endpoint manually (Step 3).
"This SSO provider configuration could not be found." The IdP was removed in the meantime. Add it again in the SSO section and use the new test link.
"Sign-in with this SSO provider failed because of a configuration problem." Review the provider configuration, or contact support@start.me and we will look into it with you.
Skip the login screen
After you configured your IdP, you can select it as the default login method and thereby bypass the Start.me login screen for your users. Instead of the Start.me login screen, users will immediately be redirected to the IdP login screen.
Automatically enroll users in the right Enterprise teams
You can automatically assign users to the correct Enterprise teams based on their group memberships in your IdP. See Automatically Assign Users to Enterprise Teams via SSO for setup instructions.
Need assistance?
Please contact support@start.me for help getting SAML2 integrated on Start.me.