Single-Sign-On (SSO) with SAML2
This feature is only available to teams on the Flagship tier.
freispace offers Flagship users the ability to set up Single-Sign-On (SSO) via SAML2.
Once configured, any user of the company can login to freispace via their Identity Provider (IdP), without the need to register manually. As a company, you will no longer need to invite or manage users manually.
Getting started
freispace supports multiple Identity Providers (tenants) per team.
Some of the possible Identity Providers (IdP) are, amongst others:
- Microsoft Entra - Set-up Guide
- Google Workspace - Set-up Guide
- Okta - Set-up Guide
Please note that any Identity Provider (IdP) with SAML2-support can be configured.
If you require help setting up SSO for your company, feel free to contact us.
Setting up Single-Sign-On (SSO)
Head over to you Team settings (by opening your team menu and selecting the corresponding menu item) and switch to the last tab, Administration.
Team Login URL
The team login URL is the link to your team's login page. For users to login via SSO, they will require to always use that URL.
Note down the URL and share it with all team members. SSO only works via your individual login URL.
You may change the login URL to your liking. The old URL will, however, no longer be accessible. It is not recommended to change the URL once users are already using SSO.
Configuring tenants
If you haven't set up any tenants yet, you will automatically see the form for adding your first Identity Provider.
Otherwise, the configured Identity Providers will be displayed. In this case, click Add tenant at the bottom of the section.
Depending on your Identity Provider, follow one of our integration guides:
- Microsoft Entra - Set-up Guide
- Google Workspace - Set-up Guide
- Okta - Set-up Guide
You will need to fill in the following details.
Connection name required
This can be any name you want to give this tenant. Ideally, use something descriptive like Google, Microsoft or Okta. Users may see this name when logging in and should recognise it.
IdP Issuer ID required
The Identity Provider Issuer ID is usually a URL.
(e.g. https://sts.windows.net/xxx-yyy-zzz/ or https://accounts.google.com/o/saml2?xxyyzz)
Login URL (SSO endpoint) required
This is the URL that freispace will redirect to for users to login.
Logout URL (SLO endpoint) optional
Usually, you will want to redirect users to an endpoint to sign them out of all SSO-enabled applications. If you IdP provides an endpoint for this, enter it here.
IdP X.509 Certificate required
Copy and paste your Identity Provider's X.509 Certificate in this field. The certificate usually has a format like this:
-----BEGIN CERTIFICATE-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDnhGkqd3M2VzeC
[...]
csEu4K06kcw4oMna9cnwyqGTDK6KFCg=
-----END CERTIFICATE-----
Paste the entire certificate, including the start and end lines.
Retrieving your users' names
In order to import your staff's names to freispace, we recommend setting up the correct namespaces.
Depending on your Identity Provider, you may either receive a namespace definition, represented as an URL, or may need to enter one.
Namespace definition for given names optional
Enter you Identity Provider's namespace for first names. If you need to define one, we recommend using:
https://schemas.xmlsoap.org/ws/2005/05/identity/claims
Namespace definition for surnames optional
Enter you Identity Provider's namespace for last names. If you need to define one, we recommend using:
https://schemas.xmlsoap.org/ws/2005/05/identity/claims