Single Sign-On (SSO) Authentication

  • Updated
  • Updated
Avatar
Written by Charissa F.
  • Updated
Required plan:
Required plan:

Multi-Factor Authentication (MFA) is enforced for all users with elevated access, including both predefind and custom roles. For other driver or user accounts, you can set up Single Sign-On (SSO) to use a single identity provider (IdP) to manage access to Samsara resources. Unlike standard authentication, users don't need to remember a separate password to manually log in to Samsara and can use their corporate login.

Because IT administrators manage sensitive login information through one IdP system, using SSO reduces the security risk footprint. You can manage federated identity using either Google Authentication or a third-party SSO provider (for example, Okta or Azure).

To set up SSO you can create a SSO configuration for drivers and administrators based on the metadata associated with Samsara and with the IdP. If you intend to use SSO for both drivers and administrators ensure that you set up separate applications for each use case in the IdP.

Note

Periodically, you will need to renew the x.509 certificate. To prevent access disruption due to an expired certificate, it is recommended to generate and replace the certificate before it expires. For more information, see Renew an x.509 Certificate.

Set up SSO for Drivers

If you want your drivers to use SSO to log in to the Samsara Driver App, you can exchange metadata with the IdP. In your IdP set up a separate configuration for drivers and do not use the same IdP configuration you use for administrators.

  1. Verify Domains for Secure SSO Authentication.

    You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.

  2. Select the Settings icon (gear icon) at the bottom of your Fleet menu to view dashboard settings.

  3. In Organization, select Single Sign-On.

  4. In the Single Sign-On (SSO) for Driver Login section, click Add.

  5. Click Copy next to the Samsara metadata URL to record the URL for use by your identity provider. Send that URL to the administrator for your IdP.

    If the IdP cannot accept the metadata URL, you can expand the details to retrieve the Service Provider Entity ID, Post-back/ACS URL, and SAML Attribute for the driver's username.

    • Name: driver_username

    • Namespace: https://cloud.samsara.com/saml/attributes

    • Source attribute

    This information can also be used to define the SSO configuration with your IdP.

  6. Retrieve the metadata from the IdP.

    You can provide either a metadata URL or you can update a metadata file provided by the IdP.

  7. Save your changes when finished.

  8. Set the Authentication Type for Users.

Set up SSO for Samsara Administrators

If you want other administrators to use SSO to log in to the Samsara dashboard, you can exchange metadata with the IdP. In your IdP set up a separate configuration for administrators and do not use the same IdP configuration you use for drivers.

  1. Verify Domains for Secure SSO Authentication.

    You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.

  2. Select the Settings icon (gear icon) at the bottom of your Fleet menu to view dashboard settings.

  3. In Organization, select Single Sign-On.

  4. In the Single Sign-On (SSO) for User Login section, click Add.

  5. Click Copy next to the Samsara metadata URL to record the URL for use by your identity provider. Send that URL to the administrator for your IdP.

    If the IdP cannot accept the metadata URL, you can expand the details to retrieve the Service Provider Entity ID, Post-back/ACS URL, and SAML Attributes. This information can also be used to define the SSO configuration with your IdP.

  6. Retrieve the metadata from the IdP.

    You can provide either a metadata URL or you can update a metadata file provided by the IdP.

  7. Save your changes when finished.

Migrate to the New SSO Experience

Note

To facilitate a quick rollback in case of any issues during migration, we recommend you create a new SAML application.

Do not update the existing Samsara application in your IdP.

If you set up SSO using the SAML experience that was available prior to 20 November 2024, you must migrate to the new SSO experience.

Follow the workflow below to complete the migration and conversion process.

  1. Select the Settings icon (gear icon) at the bottom of your Fleet menu to view dashboard settings.

  2. In Organization, select Single Sign-On.

  3. Click Migrate.

    migrate_button.png

  4. Share the SAML fields with your IdP Admin and have the IdP Admin perform the steps to set up SSO for administrators and drivers.

    saml_field_share.png

  5. When the IdP Admin performs the steps to obtain the metadata for the SSO configuration, enter the metadata URL or upload the metadata XML file exported from your IdP into Samsara.

    input_idp_metadata.png

  6. Save.

  7. Test the Samsara sign in.

    If you experience issues when you sign in to Samsara, contact Samsara support.

  8. Set the Authentication Type for Users.

Set the Authentication Type for Users

If your organization has users currently using basic authentication, you must also convert the account type to enable these users to use SSO. You can choose from one of three methods for this conversion: using the direct URL (described later in this document), an API method where admins update user authentication types programmatically, or a bulk import using a CSV method via the Users & Roles page.

Convert existing users who log in using basic authentication to use SSO using one of the following methods:

  • Direct login. Have users log in to the IdP or use the direct SSO URL from Samsara.

    • https://cloud.samsara.com/signin/<orgid>

    • https://cloud.eu.samsara.com/signin/<orgid>

    Where <orgid> is the unique ID for your organization. This login will convert a user's authentication method from basic authentication to single sign-on.

    After the user logs in, the account is automatically converted to use SSO for future authentication attempts.

  • Samsara API. Use the Samsara API to update the user authentication type from Basic to SAML. Refer to the API documentation for the required endpoint and parameters.

  • Bulk import: From the Samsara dashboard you can update the authentication type for your users by editing and importing a CSV file (see Edit Administrators in Bulk). To do so, you change the authType from Basic to SAML for the users and then import the CSV file.

Choose the method that best fits your organizational workflow to ensure a seamless transition to SSO for all users.

Integrate Microsoft Entra as your IdP

Samsara supports integration with Microsoft Entra (formerly known as Azure). For instructions on integrating Azure as your IdP, see Tutorial: Microsoft Entra single sign-on (SSO) integration with Samsara.

  1. Verify Domains for Secure SSO Authentication.

    You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.

  2. Configure your desired SSO options:

  3. In Microsoft Entra, set up a new SAML application for Samsara.

    1. Navigate to Identity > Application > Enterprise applications.

    2. Select + New application.

    3. + Create your own application.

      1. Enter the name of application Samsara.

      2. Select Integrate any other application you don't find in the gallery (Non-gallery).

      3. Create the app.

    4. Assign users and groups.

      1. Click + Add user/group.

      2. Under Users, click None Selected.

      3. Select the users you want to add, and then click Select.

      4. Click Assign.

    5. Configure SAML.

      1. In the side navigation, select Overview.

      2. Select Get Started in the Set up single sign on box.

      3. Click SAML.

      4. Select Edit in the Basic SAML Configuration to add the SAML fields provided by your Samsara Admin.

        Copy the link from Service Provider Entity ID into the Identifier (Entity ID) field.

        Copy the link from Post-back/ACS URL to the Reply URL (Assertion Consumer Service URL) field.

      5. Save your changes.

    6. Add claims for two Samsara attributes: email and name.

      Claims are used to assert certain properties or characteristics of the user during the authentication process. You will need to define claims for both the user's email and the user's name. For each claim you will define the following information:

      • Name: email or name

      • Namespace: https://cloud.samsara.com/saml/attributes

      • Source attribute

      sso-entra-idp-manage-claim.png

      To define the claim, select Edit in the Attributes & Claims section and Add a new claim for each of the Samsara user attributes.

      • Name attribute: We recommend you configure the Source attribute for name to the value that you would like to be mapped to Samsara's name. For example, you can use user.displayname as your source attribute.

      • Email attribute: We recommend you configure the Source attribute for email to the value that you would like to be mapped to Samsara's name. For example, you can use user.mail as your source attribute.

      Then, Save your changes.

    7. In SAML Certificates, copy and share the App Federation Metadata Url or download the Federation Metadata XML file and share it with your Samsara Admin.

  4. Exchange the metadata information from Samsara with the IdP to complete the configuration.

Integrate Okta as your IdP in Samsara

If you use Okta as your IdP, you can configure authentication in Samsara to use your Okta user accounts. To complete the setup, you will need access to both the Samsara dashboard and your Okta Admin Console.

  1. Verify Domains for Secure SSO Authentication.

    You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.

  2. Configure your desired SSO options:

  3. In your Okta Admin Console, begin to set up an internal app integration that uses SAML 2.0 as the sign-on method.

    For full instructions, see the Okta documentation.

    okta-sso-app-settings.png

    During configuration, you will need to:

    • Configure the following information:

      • Single sign-on URL: Copy the Post-back/ACS URL (Assertion Consumer Service) from the SSO connection settings in the Samsara dashboard.

      • Audience URI: Copy the Service Provider Entity ID from the SSO connection settings in the Samsara dashboard.

    • Configure SAML attributes.

      Name

      Value

      https://cloud.samsara.com/saml/attributes/email

      user.email

      https://cloud.samsara.com/saml/attributes/name

      user.firstName+" "+user.lastName

      Note

      When using name as an attribute, the dropdown doesn’t provide the option to specify full name as the value. In this case, use regex to present first name space last name.

      If needed, you can also use other SAML attributes.

  4. Exchange the metadata information from Samsara with the IdP to complete the configuration.

Other IdPs

While Samsara officially supports Microsoft Entra and Okta as IdPs, you can also use many other identity providers that support the SAML 2.0 protocol. As other IdPs have not yet been tested, Samsara cannot ensure full compatibility at this time. To test an IdP on your own, create a SAML connection from the Samsara dashboard.

  1. Verify Domains for Secure SSO Authentication.

    You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.

  2. Configure your desired SSO options:

    Samsara recommends that you import the Samsara metadata SAML configuration instead of manual configuration, if you able to do so for your IdP.

  3. Configure SAML attributes.

    Name

    Value

    https://cloud.samsara.com/saml/attributes/email

    User's email

    https://cloud.samsara.com/saml/attributes/name

    User's name

  4. Add the Samsara Admin as a user to the new application.

  5. Exchange the metadata information from Samsara with the IdP to complete the configuration.

Samsara JIT Provisioning

Just-in-Time (JIT) provisioning leverages the SAML protocol to automate user account creation for various web applications. It works by passing user information from an Identity Provider (IdP), such as Okta or Microsoft Entra. When a new user signs in to an authorized application for the first time, such as the Samsara dashboard, the IdP sends the necessary details to the application, automatically creating the user's account—eliminating the need for manual admin intervention.

Samsara supports JIT provisioning for two types of accounts:

  • Samsara dashboard users: When a new administrator logs in for the first time using Single Sign-On (SSO) through your IdP, the Samsara dashboard automatically provisions an account with the least privileged role—the Maintenance role. This account is granted tag access to the Entire Organization by default. If the admin requires a different role or specific tag access, it is recommended to add or update the admin via CSV with the appropriate role and tag access.

  • Drivers: Samsara also supports JIT provisioning for driver SSO. When a driver signs in for the first time using SSO, their account is automatically created in the dashboard. The system maps the driver's username to the value of the driver_username attribute in your IdP, ensuring seamless access without manual provisioning.

When implementing JIT provisioning with SSO, be aware that provisioning may not function as expected if a user's email address is associated with multiple organizations. JIT provisioning typically creates or updates user accounts based on unique email identifiers. If an email is linked to multiple organizations, conflicts may arise, leading to provisioning errors or access issues.

To prevent these issues, ensure that each user's email address is unique within your organization’s domain. If users need access to multiple organizations, consider using distinct email aliases or coordinating with your IdP to manage multi-organization access effectively.

Remove an SSO Configuration

If you need to delete an existing SSO configuration from your Samsara dashboard, please contact Samsara Support for assistance.

Currently, the dashboard does not support self-service deletion of SSO configurations to ensure the security and integrity of your organization's authentication setup. Our support team will guide you through the process to safely remove the SSO configuration, as needed.

Feedback

Was this article helpful?
9 out of 13 found this helpful
Have more to say? We want to hear it!
Have more questions? Submit a request
Return to top

Comments

0 comments

Article is closed for comments.

Related articles

Articles in this section

©2024 Samsara Inc.

Chat with us