SAML SSO
SAML SSO is available for Enterprise plans. If interested, please reach out to sales@screendesk.io
This document guides you through the process of setting up Single Sign-On (SSO) for Screendesk using SAML (Security Assertion Markup Language) with popular Identity Providers (IdPs) like Google and Okta, as well as custom SAML providers.
Prerequisites
Administrative access to Screendesk's admin panel.
Administrative access to your IdP (Google Workspace, Okta, or other SAML providers).
Key terms
Service Provider (SP): Screendesk, which will be configured to authenticate users via SSO.
Identity Provider (IdP): The system (like Google, Okta) managing user identities and login credentials.
Assertion Consumer Service (ACS) URL: The endpoint in Screendesk where SAML responses are sent.
Entity ID: A unique identifier for the SP (Screendesk) in the SAML protocol.
Setting Up SAML SSO with Google Workspace
Step 1: Configure Google as IdP
Access Google Admin Console: Go to your Google Workspace admin dashboard.
Add Screendesk as a SAML Application: Navigate to Apps > SAML apps, and click on '+ Add App' > 'Add custom SAML app'.
Google IdP Information: Note down the SSO URL and Entity ID. Download the IdP certificate.
Step 2: Configure Screendesk
Access Screendesk Admin Panel: Log in to your Screendesk admin account.
Enter SAML Details: Go to the SAML SSO settings page.
SSO Domain: Enter your email domain (adrien@screendesk.io = screendesk.io).
IDP Entity ID: Paste the Google Entity ID.
Single Sign-On URL: Paste the Google SSO URL.
IDP Certificate: Upload the Google certificate.
Step 3: User Access and Attribute Mapping
Setup Access: Assign users or groups in Google Admin who can access Screendesk.
Attribute Mapping: Ensure that the user attributes in Google match those expected by Screendesk.
Setting Up SAML SSO with Okta
Step 1: Add Screendesk in Okta
Access Okta Admin Dashboard: Navigate to your Okta admin console.
Create a New App: Choose 'Applications' > 'Create App Integration' > 'SAML'.
Configure SAML Settings: Follow the setup wizard, input the ACS URL, and Entity ID from Screendesk.
Step 2: Configure Screendesk
Enter Okta SAML Details in Screendesk's SAML SSO settings, similar to the Google setup.
Troubleshooting
Verify that the ACS URL and Entity ID in Okta match those provided by Screendesk.
Setting Up Custom SAML Providers
For custom SAML providers, the process involves similar steps. Ensure you have the ACS URL, Entity ID, and the IdP certificate from your custom provider to input into Screendesk's SAML settings.
Testing and Validation
After configuration, test the SSO login process:
Log out of Screendesk.
Access Screendesk: Attempt to log in via your IdP.
Verify Successful Login: Ensure that the SSO process completes without errors.
Troubleshooting
If login fails, ensure the Entity ID and ACS URL in Google match those in Screendesk.
Required Data Attributes
For a successful integration and optimal user experience with SAML SSO, Screendesk requires the following user data attributes from the Identity Provider (IdP):
Email: The user's email address. It's used as the primary identifier for user accounts in Screendesk.
First Name: The user's first name.
Last Name: The user's last name.
These attributes are essential for account creation and management in Screendesk. Ensure that your IdP is configured to release these attributes to Screendesk during the SAML authentication process.
Creating end-user accounts
To add members, create accounts for them in your IdP. The first time a new member logs in to Screendesk via the IdP, a Screendesk account will be created for them via automatic IdP provisioning. The user will have access to organization resources as an organization member.
Set-up requires lower case email addresses. Do not use mixed case email addresses.
Removing accounts
Removing a member from the IdP will prevent the user from being able to sign in to the corresponding Screendesk account, but will not remove the account from Screendesk. We advise also removing the account from the Screendesk account.
Controlling access
Once you have set up SAML SSO, the onus is on the IdP to control who can access your Screendesk account.
Last updated