Note
If you would like to use SSO, please contact Support to enable the feature.
Single sign-on (SSO) enables you to use a single identity provider (IdP) to manage access to Samsara. Unlike standard authentication, users don't need to remember a separate password to manually log in to Samsara and can use their corporate login.
Because IT Admins manage sensitive login information through one IdP system, using SSO reduces the security risk footprint. You can manage federated identity using either Google Authentication or a third-party SSO provider (for example, Okta or Azure).
To set up SSO, you generate and download a SAML (Security Assertion Markup Language) certificate from your IdP. The certificate is an X. 509 signing certificate used to encrypt and digitally sign the SAML assertions used in the SSO process. You then upload the certificate to the SSO configuration in the Samsara dashboard.
Note
Periodically, you will need to renew the x.509 certificate. To prevent access disruption due to an expired certificate, it is recommended to generate and replace the certificate before it expires. For more information, see Renew an x.509 Certificate.
Samsara supports integration with Microsoft Entra (formerly known as Azure). For instructions on integrating Azure as your IdP, see Tutorial: Microsoft Entra single sign-on (SSO) integration with Samsara.
If you use Okta as your IdP, you can configure authentication in Samsara to use your Okta user accounts. To complete the setup, you will need access to both the Samsara dashboard and your Okta Admin Console.
-
In your Okta Admin Console, begin to set up an internal app integration that uses SAML 2.0 as the sign-on method.
For full instructions, see the Okta documentation.
During configuration, you will need to:
-
Supply a Single sign-on URL. Since you won't have your single sign-on URL until you complete the Samsara-side configuration, use a placeholder and later return to the configuration.
-
Configure SAML attributes.
Name
Value
https://cloud.samsara.com/saml/attributes/email
user.email
https://cloud.samsara.com/saml/attributes/name
user.firstName+" "+user.lastName
Note
When using name as an attribute, the dropdown doesn’t provide the option to specify full name as the value. In this case, use regex to present first name space last name.
If needed, you can also use other SAML attributes.
-
Create and download the certificate used for authentication.
-
Set up users and groups that can use the Okta SAML configuration.
-
-
In the Samsara dashboard, create a SAML connection:
-
Select the Settings icon ( ) at the bottom of your Fleet menu to view dashboard settings.
-
Select Single Sign-On.
-
Select New SAML Connection.
-
Synchronize your SAML configuration details in Okta.
In the SAML app configuration in Okta, configure the following information:
-
Sign In Endpoint URL: Copy the Post-back URL (Assertion Consumer Service (ACS) URL) from the SAML configuration in the Samsara dashboard.
-
Audience URI: Copy the Service Provider Entity ID from the SAML configuration in the Samsara dashboard.
-
SAML Attributes: In Okta, specify attributes for the user's name and email.
-
-
Synchronize your SAML configuration details in Samsara.
After you create the app in Okta, find the details on the Sign On tab under View SAML set up instructions. Then, in the SAML configuration in the Samsara dashboard, configure the following information:
-
Sign In Endpoint URL: Copy the Identity Provider Single Sign-on URL from Okta.
-
X.509 Certificate: Download this certificate from Okta. When you copy the certificate to the Samsara dashboard, make sure to include the begin and end notation as shown in the above image.
Then Save your settings.
-
-
-
In Okta, assign users to the app. You can add users individually or use Groups to manage access.
Manually added users will receive an activation email from Okta to activate the account. After the user logs in to Okta, the new SSO tile is visible.
-
Test to ensure that the users to whom you assigned access can access the Samsara dashboard using their Okta credentials.
On login, any users that don't already have accounts in the Samsara dashboard will be automatically created with Read-only Admin (No Dash Cam Access) for Entire Organization. Adjust the user permissions, as needed.
Just-in-Time (JIT) provisioning uses SAML protocol to pass information from an IdP, such as Okta or Microsoft Entra, as a way to automate user account creation for various web applications. When a new user first signs in to an authorized application, such as Samsara, they trigger a flow of information from the IdP to the authorized app to automatically create their account, instead of requiring an admin to create an account for them.
If a new admin is set up to use your IdP to access Samsara, and they use their SSO link to sign in to the Samsara dashboard for the first time, the Samsara dashboard will automatically create an account for them with the default administrative role, Standard Admin (No Dash Cam Access), with tag access to the Entire Organization. If you want the admin to have a different role and tag, it is recommended you add or edit the new admin through a CSV with the correct role and tag access.
Comments
0 comments
Article is closed for comments.