SSO lets users access Sana with their existing authentication system with one click. Sana Labs supports SSO as a service provider through SAML 2.0. This makes Sana work off-the-shelf with most common Identity Providers such as Azure, Okta, and Google Workspace. In order to configure SSO, we will need to exchange some information between your Identity Provider and Sana.
SSO Configuration in general
(with screenshots from Google Workspace)
SSO is usually configured by creating a custom APP in your identity provider of choice. And then by communicating to Sana the details of your APP, so that Sana can setup SSO on their side. Here is a summary of the steps needed:
You create an APP on your identity provider.
You configure the SAML 2.0 protocol in the APP, by setting up the parameters that Sana provides.
You save and send the information that Sana needs to configure SSO on their side. This information is usually given by the APP of your Identity Provider, while you configure it at step 2.
You assign the APP to the users in your company that you want to be able to login to Sana through SSO.
You test your SSO setup
Step 1 and 2 - Creating and configuring the APP
Please create an APP in your Identity Provider.
Now find where you can setup the SAML 2.0 protocol. It should be a setting somewhere in the app. Once you find it, set these parameters in the right field:
Observe: Change the DOMAIN to your actual domain name provided by Sana.
Certificate: A certificate is not always needed. It depends on the settings of your Identity Provider. You can skip it, and if needed later, your support person at Sana will provide it to you.
SAML Response Mapping Attributes
Sana needs some important information about your users, in oder to log them in with SSO. This information is email, first name and last name, in form of attributes. The attributes that need to be communicated to Sana by your APP are named exactly as the following:
email
firstName
lastName
You need to find the section in the app where you can setup the SAML attribute mapping, and select the information in your system that corresponds to the attribute above, and make this mapping.
Observe: The casing of the Sana attributes is important, it has to be exactly like above.
The full attributes must be exactly like above, and they must not be prefixed with any string or URL. If the attributes look like "something.email" the SSO handshake will fail.
Here is an example attributes mapping configuration:
Step 3 - Save and send the needed information to Sana
While you setup your APP, you will be given important information that you need to send back to your support person at Sana.
Certificate
SSO URL
Entity ID
It is also possible to just provide a SAML Metadata XML file which has all the values above.
You do not need to worry about sending this information securely, as it only contains only public information, so you can just send it via email.
Step 4 and 5 - Assign your APP and test it
You now need to assign the APP to the users in your company that you want to be able to login to Sana through SSO. If you don't assign the APP, nobody will be able to login to Sana using SSO, even if you have setup everything correctly. Usually you can select with organizational units or groups should get access to your APP, this setting depends on your Identity Provider setup. The most common setting is to assign the APP to the whole company users.
Once you have assigned your app, you can test your SSO setup. There should be a way to do it from your identity provider.
You you don't find any way to test it, make sure your user is assigned to the APP and just visit https://DOMAIN.sana.ai, where DOMAIN is your org name, which is provided by Sana.
SSO configuration with Okta
Here is a step-by-step guide on how to setup Sana as a SAML 2.0 application on Okta.
Create a new SAML 2.0 App Integration
2. Enter the desired app name and optionally upload app logo, and then press Next
3. Enter the following information to the respective fields in the SAML Settings screen replacing example with the actual domain you got from Sana.
Single sign on url: https://example.sana.ai/x-realtime/auth/saml/acs
Audience URI (SP Entity ID): https://example.sana.ai/x-realtime/auth/saml/metadata
4. Add the following attributes with the exact casing
email : user.email
firstName: user.firstName
lastName: user.lastName
The configuration should look as follows afterwards:
If things are configured on Sana, you can press the “Preview the SAML Assertion” response button at this stage and see an assertion response.
When everything is ready, press Next.
5. In the feedback form, select “I'm an Okta customer adding an internal app” and provide feedback if you like to.
6. When creation process is finished, you will be redirected to the newly created apps Sign On tab. On the bottom right, click “View SAML setup instructions” button where you will get the following screen:
7. Provide your Sana account manager with all the information here:
Identity Provider Sign-on URL
Identity Provider Issuer
X.509 Certificate
8. Sana account manager will set your Sana app with this configuration and then you can test the setup at your domain at https://<example>.sana.ai
SSO Configuration with Azure
Here is a step-by-step guide on how to setup Sana as a SAML 2.0 application on Azure.
To configure SSO, you need one of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal (read more here).
In the Azure portal, find the Manage section. Select “Single-sign on”
On the Select a single sign-on method page, select SAML.
3. In the Basic SAML Configuration step enter the following info (Replace DOMAIN with your Domain at Sana):
Identifier (Entity ID): https://DOMAIN.sana.ai/x-realtime/auth/saml/metadata
Reply URL (Assertion Consumer Service URL): https://DOMAIN.sana.ai/x-realtime/auth/saml/acs
4. In the Attributes & Claims step, make sure email, firstName and lastName are configured as attributes.
5. In the Set up single sign-on with SAML step, in the SAML Signing Certificate section, select Download to download the Certificate (Base64) from the specified options. You will need to provide this in a later step.
6. On the Set up step, copy the values from Login URL & Azure AD Identifier fields. You will need these at the next step
7. Provide your Sana account manager with all the information here:
Login URL
Azure AD Identifier
Certificate (Base64)
8. Sana account manager will set your Sana app with this configuration. Once this is done, you can test the setup using the Test single sign-on with Sana step:
SSO configuration with OneLogin
Here is a step-by-step guide on how to set up Sana as a SAML 2.0 application on OneLogin.
Select the Applications tab, and click the ‘Add App’ button in the top right corner. Search for ‘SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML)’ and select that.
Set a descriptive name and an icon for your Sana integration and press Save.
Enter the following information to the respective fields in the Configuration screen, replacing example with the actual domain you got from Sana.
Single sign on url: https://example.sana.ai/x-realtime/auth/saml/acs
Audience URI (SP Entity ID): https://example.sana.ai/x-realtime/auth/saml/metadata
Make sure to change the SAML signature element to ‘Both’
Under Parameters, make sure to include three fields that are mandatory, note the exact casing:
email
firstName
lastName
Click the SSO tab. Share the following information with your Sana representative
Your X.509 certificate (click View Details to download it)
The issuer URL
The SAML 2.0 Endpoint (HTTP)
6. Sana account manager will set your Sana app with this configuration and then you can test the setup at your domain at https://<example>.sana.ai
FAQ
Q: We get this message {"error":{"message":"BadRequest: No attribute value for email"}}
A: That message usually comes when the email attribute in the SSO configuration is not set on your side, or it has an invalid format. Have you set up the attributes according to the instructions? Sometimes there are residual namespaces in the attributes name. Please make sure there are no name spaces nor prefixes, it should just be “email”.
Q: "I cant find Sana as official app in Azure/ Okta?"
A: This is not a problem, we simply don't have an official app today. They have to set it up manually through the guidelines.