Single Sign-On (SSO) Authentication

  • Updated
  • Updated
Avatar
Written by Charissa F.
  • Updated
Requires one of the following licenses:

Important

If you set up SSO using the SAML experience that was available prior to November 20, 2024, you must migrate to the new SSO experience by November 7, 2025 to avoid sign-in disruptions.

Multi-Factor Authentication (MFA) is required for all users with elevated access. For other users, you can set up Single Sign-On (SSO) so they log in with corporate credentials instead of separate Samsara passwords.

SSO centralizes login management through your identity provider (IdP), reducing security risks. Samsara supports Google Authentication and third-party providers such as Okta or Microsoft Entra.

To enable SSO, create configurations for both drivers and administrators. If you plan to cover both groups, set up a separate SAML application for each.

Set up SSO for Drivers

If you want your drivers to use SSO to log in to the Samsara Driver App, set up a separate SAML application in your IdP using the following workflow:

  1. Verify your domain for secure SSO authentication.

    You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.

  2. Select the Settings icon (gear icon) at the bottom of your Fleet menu to view dashboard settings.

  3. In Organization, select Single Sign-On.

  4. In the Single Sign-On (SSO) for Driver Login section, click Add.

  5. Click Copy next to the Samsara metadata URL and share it with your IdP administrator.

    If your IdP doesn’t accept the metadata URL, expand the details to retrieve the Service Provider Entity ID, Post-back/ACS URL, and SAML Attribute for the driver’s username and to define the SSO configuration in your IdP.

    • Name: driver_username

    • Namespace: https://cloud.samsara.com/saml/attributes

    • Source attribute

    This information can also be used to define the SSO configuration with your IdP.

  6. Provide either the metadata URL or upload a metadata file from your IdP.

    Note

    The x.509 certificate included in your IdP metadata will expire. To prevent access disruptions, renew the certificate in your IdP and update the Samsara metadata before it expires. For more information, see Renew an x.509 Certificate.

  7. Save your changes when finished.

Set up SSO for Samsara Administrators

If you want your administrators to use SSO to log in to the Samsara dashboard, set up a separate SAML application in your IdP using the following workflow:

  1. Verify your domain for secure SSO authentication.

    You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.

  2. Select the Settings icon (gear icon) at the bottom of your Fleet menu to view dashboard settings.

  3. In Organization, select Single Sign-On.

  4. In the Single Sign-On (SSO) for User Login section, click Update.

  5. Click Copy next to the Samsara metadata URL to record the URL for use by your identity provider. Send that URL to the administrator for your IdP.

    If your IdP doesn’t accept the metadata URL, you can expand the details to retrieve the Service Provider Entity ID, Post-back/ACS URL, and SAML Attributes for user identification and to define the SSO configuration in your IdP.

  6. Retrieve the metadata from the IdP.

    You can provide either a metadata URL or you can update a metadata file provided by the IdP.

  7. Save your changes when finished.

Set the Authentication Type for Users

If users are still on basic authentication, you’ll need to convert their accounts to enable SSO. You can do this either through a direct URL (explained later) or by using the API to update user authentication types programmatically.

Convert existing users who log in using basic authentication to use SSO using one of the following methods:

  • Direct login: Have users log in to the IdP or use the direct SSO URL from Samsara.

    • https://cloud.samsara.com/signin/<orgid>

    • https://cloud.eu.samsara.com/signin/<orgid>

    Where <orgid> is the unique ID for your organization. This login will convert a user's authentication method from basic authentication to single sign-on.

    After the user logs in, the account is automatically converted to use SSO for future authentication attempts.

  • Samsara API: Use the Samsara API to update the user authentication type from Basic to SAML. Refer to the API documentation for the required endpoint and parameters.

  • Bulk import: From the Samsara dashboard you can update the authentication type for your users by editing and importing a CSV file (see Edit Administrators in Bulk). To do so, you change the authType from Basic to SAML for users and then import the CSV file.

Choose the method that best fits your organizational workflow to ensure a seamless transition to SSO for all users.

Integrate Microsoft Entra as your IdP

Samsara supports integration with Microsoft Entra (formerly known as Azure). For detailed instructions on creating a SAML integration, see Tutorial: Microsoft Entra single sign-on (SSO) integration with Samsara.

Before you configure authentication, make sure you have access to both the Samsara dashboard and the Microsoft Entra Admin Center. Use the following workflow to set up SSO with Microsoft Entra:

  1. Verify your domain for secure SSO authentication.

    You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.

  2. In Samsara, create a separate SSO configuration for administrators, drivers, or both:

  3. In Microsoft Entra, set up a new SAML application for Samsara.

    1. Navigate to Identity > Application > Enterprise applications.

    2. Select + New application.

    3. + Create your own application.

      1. Enter the name of application Samsara.

      2. Select Integrate any other application you don't find in the gallery (Non-gallery).

      3. Create the app.

    4. Assign users and groups.

      1. Click + Add user/group.

      2. Under Users, click None Selected.

      3. Select the users you want to add, and then click Select.

      4. Click Assign.

    5. Configure SAML.

      1. In the side navigation, select Overview.

      2. Select Get Started in the Set up single sign on box.

      3. Click SAML.

      4. Select Edit in the Basic SAML Configuration to add the SAML fields provided by your Samsara Admin.

        Copy the link from Service Provider Entity ID into the Identifier (Entity ID) field.

        Copy the link from Post-back/ACS URL to the Reply URL (Assertion Consumer Service URL) field.

      5. Save your changes.

    6. Add claims for the required Samsara user attributes.

      sso-entra-idp-manage-claim.png

      To pass user details during authentication, define claims for the user’s email and name. To assign roles or tags at login, add claims for those values as well.

      1. Select Edit in the Attributes & Claims section.

      2. Click Add a new claim.

      3. To define the claim, select Edit in the Attributes & Claims section and Add a new claim for each of the Samsara user attributes.

        • Name attribute: We recommend you configure the Source attribute for name to the value that you would like to be mapped to Samsara's name. For example, you can use user.displayname as your source attribute.

        • Email attribute: We recommend you configure the Source attribute for email to the value that you would like to be mapped to Samsara's name. For example, you can use user.mail as your source attribute.

      4. (Optional) To assign roles or tags during login, define additional claims in Microsoft Entra and map them to the correct values using claim conditions. Use the following workflow to configure claim behavior:

        1. In the User Attributes & Claims section, add the following claims:

          • https://cloud.samsara.com/saml/attributes/role_name

          • https://cloud.samsara.com/saml/attributes/role_tags

        2. For each role_name and role_tags claim:

          1. Set User type to Members.

          2. Click Select groups and choose the group or groups to apply the claim to.

            To simplify configuration and future maintenance, we recommend using a consistent naming convention for group names.

          3. Set Source to Attribute.

          4. Enter the role or tag name in the Value field.

            Quotation marks are added automatically.

          5. Click Save to finish creating the claim.

      5. Click Save to apply the full SAML configuration.

  4. To complete the connection between Microsoft Entra and Samsara, upload the IdP metadata to the appropriate SSO configuration in the Samsara dashboard:

    1. In Microsoft Entra, copy the App Federation Metadata URL or download the metadata XML file.

    2. In the Samsara dashboard, open the relevant SSO configuration (administrator or driver).

    3. Paste the metadata URL or upload the file.

    4. Click Save to apply the changes.

Integrate Okta as your IdP in Samsara

Before you configure authentication, make sure you have access to both the Samsara dashboard and your Okta Admin Console, and then set up SSO with Okta using the following workflow:

  1. Verify your domain for secure SSO authentication.

    You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.

  2. In Samsara, create a separate SSO configuration for administrators, drivers, or both:

  3. For each configuration set up in the prior step, copy the following SSO connection settings for use in Okta:

    • Single sign-on URL: Post-back/ACS URL (Assertion Consumer Service)

    • Audience URI: Service Provider Entity ID

  4. In your Okta Admin Console, create a SAML 2.0 internal app integration using the settings copied from the prior step.

    For full instructions, see the Okta documentation.

    okta-sso-app-settings.png

  5. Configure the following attributes to ensure proper authentication for each user type:

    • For administrators:

      • https://cloud.samsara.com/saml/attributes/email: user.mail

      • https://cloud.samsara.com/saml/attributes/name: user.displayName

        If your IdP doesn’t support a full name field, you can construct one using user.firstName+" "+user.lastName. In some cases, you may need to use regex formatting or Okta Expression Language to properly format the value.

    • For drivers:

      • https://cloud.samsara.com/saml/attributes/driver_username: your driver login identifier field

  6. (Optional) To assign roles or tags during login, define custom attributes in Okta and map them to the correct values. Use the following workflow to configure SAML attribute passing:

    1. Add the following SAML attributes to your Okta app integration:

      These attributes are included in the SAML assertion and used by Samsara to assign roles and tags during login.

      • https://cloud.samsara.com/saml/attributes/role_name: appuser.samsaraRole

      • https://cloud.samsara.com/saml/attributes/role_tags: appuser.samsaraRoleTags

    2. Define the custom attribute in Okta to support appuser.samsaraRole:

      1. From the app’s Sign On tab, click Configure Profile Mapping.

      2. If a modal appears with existing mappings, close it to access the Profile Editor.

      3. In the Profile Editor, click + Add Attribute.

      4. Enter the following values:

        • Data Type: string

        • Display name: Samsara Role

        • Variable name: samsaraRole

        • Enum: Enabled; add the names of the Samsara roles you plan to assign

        • Attribute Required: Yes

        • Scope: Enable User personal

  7. To complete the connection between Okta and Samsara, upload the IdP metadata to the appropriate SSO configuration in the Samsara dashboard:

    1. In Okta, copy the App Federation Metadata URL or download the metadata XML file.

    2. In the Samsara dashboard, open the relevant SSO configuration (administrator or driver).

    3. Paste the metadata URL or upload the file.

    4. Click Save to apply the changes.

Other IdPs

While Samsara officially supports Microsoft Entra and Okta as IdPs, you can also use many other identity providers that support the SAML 2.0 protocol.

As other IdPs have not yet been tested, Samsara cannot ensure full compatibility at this time. To test an IdP on your own, create a SAML connection from the Samsara dashboard.

  1. Verify Domains for Secure SSO Authentication.

    You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.

  2. Configure your desired SSO options:

    Samsara recommends that you import the Samsara metadata SAML configuration instead of manual configuration, if you able to do so for your IdP.

  3. Configure SAML attributes.

    Name

    Value

    https://cloud.samsara.com/saml/attributes/email

    User's email

    https://cloud.samsara.com/saml/attributes/name

    User's name

  4. Add the Samsara Admin as a user to the new application.

  5. Exchange the metadata information from Samsara with the IdP to complete the configuration.

Samsara JIT Provisioning

Just-in-Time (JIT) provisioning uses the SAML protocol to automatically create user accounts. When a new user signs in for the first time through an Identity Provider (IdP) like Okta or Microsoft Entra, the IdP sends their details to the application (for example, the Samsara dashboard) and the account is created without admin setup.

Samsara supports JIT provisioning for two types of accounts:

  • Samsara dashboard users: When a new administrator signs in with SSO for the first time, the Samsara dashboard automatically creates an account with the Maintenance role and access to the entire organization. If the admin needs a different role or tag access, add or update their account using CSV upload and assign the appropriate tag access.

  • Drivers: Samsara supports JIT provisioning for driver SSO. When a driver signs in with SSO for the first time, their account is automatically created in the Dashboard. The system uses the driver_username attribute from your IdP to map the account, removing the need for manual setup.

When using JIT provisioning with SSO, issues can occur if a user’s email is tied to multiple organizations. Because JIT relies on unique email identifiers, duplicate emails can cause errors or access problems.

To avoid this, make sure each user has a unique email in your domain. For users who need access to multiple organizations, use separate email aliases or work with your IdP to manage access.

Remove an SSO Configuration

To delete an SSO configuration, contact Samsara Support. The Samsara dashboard does not allow self-service deletion to protect your organization’s authentication setup. Support will help you remove the configuration safely.

Feedback

Was this article helpful?
11 out of 22 found this helpful
Have more to say? We want to hear it!
Have more questions? Submit a request
Return to top

Comments

0 comments

Article is closed for comments.

Related articles

Articles in this section

©2024 Samsara Inc.

Chat with us