Skip to main content
All CollectionsAdministrationGeneral
Enabling SAML single sign-on
Enabling SAML single sign-on
Updated over a week ago

To use SAML single sign-on (SSO) for authentication to DX, you must configure both your external SAML identity provider (IdP) and your DX workspace.

In a SAML configuration, DX functions as a SAML service provider (SP). You can find the SAML implementation details for your IdP in the IdP's documentation.

  • Microsoft Active Directory Federation Services (AD FS) SAML

  • Microsoft Entra ID (previously known as Azure AD) SAML

  • Okta SAML

  • OneLogin SAML

  • PingOne SAML

  • Shibboleth SAML

Enabling SAML SSO

To enable SAML SSO, configure the Single-sign on URL and Audience URI—which you can access in the SAML SSO settings page—in your IdP, then enter the metadata URI from your IdP in DX.

Below is a detailed description of these three values:

Value

Other names

Description

Example

ACS URL

Single-sign on URL

The the location an Identity Provider redirects its authentication response to.

https://app.getdx.com/saml/acs/alazsZt7oh8xRbqK3nx0iwn5Xo41Lm

SP Entity ID

Audience URI, SP URL, audience restriction

Used to identify the issuer of a SAML request and the audience of a SAML response

https://app.getdx.com/saml/sp/GvlKAGFgllQ14qP6amC1Duf6JOxr1T

Metadata URI

IdP Metadata URI

URL where IdP publishes SAML metadata

https://app.onelogin.com/saml/metadata/a592596a-cfdb-3758-88d7-80b36a817128

NameID

The nameID should be an emailAddress (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) and must contain an email address that matches what is in DX. If you need an email address to match based solely on the part of the email preceding @ with a set of allowlisted domains, please contact DX support.

Requiring SAML SSO

You can enable SAML SSO in your organization without requiring all members to use it. Enabling but not requiring SAML SSO in your organization can help smooth adoption. When SAML SSO is enforced, all other methods of authentication (e.g., passwordless email, Slack OpenID) are disabled.

Did this answer your question?