Single sign-on (SSO)

Single sign-on (SSO) enables your users to authenticate via any SAML-compatible identity provider.

Single sign-on is restricted to Enterprise customers only and must be enabled on a per-account basis by contacting Ably. Only account owners can configure SSO for an account.

Any SAML-compatible identity provider can be used to enable SSO.

The following instructions are examples of configuring SSO with Okta and Google Workspace.

To enable SSO using Okta as the identity provider, configure the following properties in your Ably account dashboard and your Okta account:

In your Ably account dashboard:

1. Log in to your account.
2. Select Settings from the account navigation dropdown.
3. Toggle Enable Single Sign-On under the Authentication Settings section.
4. Note down the Single sign-on URL and Audience URI values.

In your Okta account:

Use the Okta guide for enabling SSO.

1. Upload the Ably logo.
2. Select EmailAddress for the Name ID format field.
3. Select Email for the Application username field.
4. Ably requires users’ full names. Okta can share user profile fields as SAML attributes.
5. Ensure you assign users to the newly created Okta application.
6. Note down the Identity Provider metadata from Okta.

In your Ably account dashboard:

1. Log in to your account.
2. Select Settings from the account navigation dropdown.
3. Complete the SSO fields with the values obtained from Okta:
   • Identity Provider Single Sign-On URL
   • Identity Provider Issuer
   • X.509 Certificate
4. Save the authentication settings.

To enable SSO using Google Workspace as the identity provider, configure the following properties in your Ably account dashboard and your Google Workspace:

In your Ably account dashboard:

1. Log in to your account.
2. Select Settings from the account navigation dropdown.
3. Toggle Enable Single Sign-On under the Authentication Settings section.
4. Note down the Single sign-on URL and Audience URI values.

In your Google Workspace account:

Use the Google Workspace guide for enabling SSO.

1. Upload the Ably logo.
2. Copy and paste the metadata configuration into your Ably account:
   • Identity Provider Single Sign-On URL
   • Use Entity ID from Google Workspace as the Identity Provider Issuer in your Ably account.
   • X.509 Certificate
3. Save the authentication setting changes in your Ably account.
4. Copy and paste the SAML settings from your Ably account into Google Workspace:
   • Use Single sign on URL from your Ably account as the ACS URL in Google Workspace.
   • Use SP Entity Id from your Ably account as the Entity ID in Google Workspace.
   • Use Entity ID from Google Workspace as the Identity Provider Issuer in your Ably account.
   • Select EMAIL for the Name ID format field.
   • Select Basic Information > Primary Email for the Name ID field.
5. Ably requires users’ full names. Google Workspace can share user profile fields as SAML attributes.
6. Ensure you assign users to the newly created Google Workspace application.
7. Test the SSO connection from Google Workspace.

Strict mode can be enabled to restrict access to your Ably account to only those users that authenticate with your identity provider. Users that attempt to log in using another method, such as their email address and password or a GitHub log in will be prompted to re-authenticate with your identity provider.

Strict mode ensures that Ably account access is handled by your identity provider. If a user is removed from your identity provider they will no longer be able to access the Ably account once their current session expires.

To enable strict mode:

1. Log in to your account.
2. Select Settings from the account navigation dropdown.
3. Toggle Enable Strict Mode under the Authentication Settings section. This setting is only visible if SSO has been enabled.