To use SAML single sign-on (SSO) for authentication to DX, you must configure both your external SAML identity provider (IdP) and your DX workspace.
In a SAML configuration, DX functions as a SAML service provider (SP). You can find the SAML implementation details for your IdP in the IdP's documentation.
Enabling SAML SSO
To enable SAML SSO, configure the Single-sign on URL and Audience URI—which you can access in the SAML SSO settings page—in your IdP, then enter the metadata URI from your IdP in DX.
Below is a detailed description of these three values:
Value | Other names | Description | Example |
ACS URL | Single-sign on URL | The the location an Identity Provider redirects its authentication response to. |
|
SP Entity ID | Audience URI, SP URL, audience restriction | Used to identify the issuer of a SAML request and the audience of a SAML response |
|
Metadata URI | IdP Metadata URI | URL where IdP publishes SAML metadata |
|
NameID
The nameID
should be an emailAddress
(urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
) and must contain an email address that matches what is in DX. If you need an email address to match based solely on the part of the email preceding @
with a set of allowlisted domains, please contact DX support.
Requiring SAML SSO
You can enable SAML SSO in your organization without requiring all members to use it. Enabling but not requiring SAML SSO in your organization can help smooth adoption. When SAML SSO is enforced, all other methods of authentication (e.g., passwordless email, Slack OpenID) are disabled.