Single sign-on (SSO) enables you to use a single identity provider (IdP) to manage access for drivers and administrators to Samsara resources. Unlike standard authentication, users don't need to remember a separate password to manually log in to Samsara and can use their corporate login.
Because IT administrators manage sensitive login information through one IdP system, using SSO reduces the security risk footprint. You can manage federated identity using either Google Authentication or a third-party SSO provider (for example, Okta or Azure).
To set up SSO you can create a SSO configuration for drivers and administrators based on the metadata associated with Samsara and with the IdP. If you intend to use SSO for both drivers and administrators ensure that you set up separate applications for each use case in the IdP.
Note
Periodically, you will need to renew the x.509 certificate. To prevent access disruption due to an expired certificate, it is recommended to generate and replace the certificate before it expires. For more information, see Renew an x.509 Certificate.
If you want your drivers to use SSO to log in to the Samsara Driver App, you can exchange metadata with the IdP. In your IdP set up a separate configuration for drivers and do not use the same IdP configuration you use for administrators.
-
Verify Domains for Secure SSO Authentication.
You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.
-
Select the Settings icon () at the bottom of your Fleet menu to view dashboard settings.
-
In Organization, select Single Sign-On.
-
In the Single Sign-On (SSO) for Driver Login section, click Add.
-
Click Copy next to the Samsara metadata URL to record the URL for use by your identity provider. Send that URL to the administrator for your IdP.
If the IdP cannot accept the metadata URL, you can expand the details to retrieve the Service Provider Entity ID, Post-back/ACS URL, and SAML Attribute for the driver's username. This information can also be used to define the SSO configuration with your IdP.
-
Retrieve the metadata from the IdP.
You can provide either a metadata URL or you can update a metadata file provided by the IdP.
-
Save your changes when finished.
If you want other administrators to use SSO to log in to the Samsara dashboard, you can exchange metadata with the IdP. In your IdP set up a separate configuration for administrators and do not use the same IdP configuration you use for drivers.
-
Verify Domains for Secure SSO Authentication.
You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.
-
Select the Settings icon () at the bottom of your Fleet menu to view dashboard settings.
-
In Organization, select Single Sign-On.
-
In the Single Sign-On (SSO) for User Login section, click Add.
-
Click Copy next to the Samsara metadata URL to record the URL for use by your identity provider. Send that URL to the administrator for your IdP.
If the IdP cannot accept the metadata URL, you can expand the details to retrieve the Service Provider Entity ID, Post-back/ACS URL, and SAML Attributes. This information can also be used to define the SSO configuration with your IdP.
-
Retrieve the metadata from the IdP.
You can provide either a metadata URL or you can update a metadata file provided by the IdP.
-
Save your changes when finished.
If you set up SSO using the SAML experience that was available prior to 20 November 2024, you must migrate to the new SSO experience. To migrate your configuration, perform the following workflow:
-
Select the Settings icon () at the bottom of your Fleet menu to view dashboard settings.
-
In Organization, select Single Sign-On.
-
Click Migrate.
-
Share the SAML fields with your IdP Admin and have the IdP Admin perform the steps to set up SSO for administrators and drivers.
-
When the IdP Admin performs the steps to obtain the metadata for the SSO configuration, enter the metadata URL or upload the metadata XML file exported from your IdP into Samsara.
-
Save.
-
Test the Samsara sign in from the IdP application.
Test the Samsara sign in from cloud.samsara.com (or cloud.eu.samsara.com if you operate in Europe).
If you experience issues when you sign in to Samsara, contact Samsara support.
Samsara supports integration with Microsoft Entra (formerly known as Azure). For instructions on integrating Azure as your IdP, see Tutorial: Microsoft Entra single sign-on (SSO) integration with Samsara.
-
Verify Domains for Secure SSO Authentication.
You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.
-
Configure your desired SSO options:
-
In Okta, set up a new SAML application for Samsara.
-
Navigate to Identity > Application > Enterprise applications.
-
Select + New application.
-
+ Create your own application.
-
Enter the name of application
Samsara
. -
Select Integrate any other application you don't find in the gallery (Non-gallery).
-
Create the app.
-
-
Assign users and groups.
-
Configure SAML.
-
In the side navigation, select Overview.
-
Select Get Started in the Set up single sign on box.
-
Click SAML.
-
Select Edit in the Basic SAML Configuration to add the SAML fields provided by your Samsara Admin.
Copy the link from Service Provider Entity ID into the Identifier (Entity ID) field.
Copy the link from Post-back/ACS URL to the Reply URL (Assertion Consumer Service URL) field.
-
Save your changes.
-
-
Add claims for two Samsara attributes:
email
andname
.Claims are used to assert certain properties or characteristics of the user during the authentication process. You will need to define claims for both the user's email and the user's name. For each claim you will define the following information:
-
Name:
email
orname
-
Namespace:
https://cloud.samsara.com/saml/attributes
-
Source attribute
To define the claim, select Edit in the Attributes & Claims section and Add a new claim for each of the Samsara user attributes.
-
Name attribute: We recommend you configure the Source attribute for
name
to the value that you would like to be mapped to Samsara's name. For example, you can useuser.displayname
as your source attribute. -
Email attribute: We recommend you configure the Source attribute for
email
to the value that you would like to be mapped to Samsara's name. For example, you can useuser.mail
as your source attribute.
Then, Save your changes.
-
-
In SAML Certificates, copy and share the App Federation Metadata Url or download the Federation Metadata XML file and share it with your Samsara Admin.
-
-
Exchange the metadata information from Samsara with the IdP to complete the configuration.
If you use Okta as your IdP, you can configure authentication in Samsara to use your Okta user accounts. To complete the setup, you will need access to both the Samsara dashboard and your Okta Admin Console.
-
Verify Domains for Secure SSO Authentication.
You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.
-
Configure your desired SSO options:
-
In your Okta Admin Console, begin to set up an internal app integration that uses SAML 2.0 as the sign-on method.
For full instructions, see the Okta documentation.
During configuration, you will need to:
-
Configure the following information:
-
Single sign-on URL: Copy the Post-back/ACS URL (Assertion Consumer Service) from the SSO connection settings in the Samsara dashboard.
-
Audience URI: Copy the Service Provider Entity ID from the SSO connection settings in the Samsara dashboard.
-
-
Configure SAML attributes.
Name
Value
https://cloud.samsara.com/saml/attributes/email
user.email
https://cloud.samsara.com/saml/attributes/name
user.firstName+" "+user.lastName
Note
When using name as an attribute, the dropdown doesn’t provide the option to specify full name as the value. In this case, use regex to present first name space last name.
If needed, you can also use other SAML attributes.
-
-
Exchange the metadata information from Samsara with the IdP to complete the configuration.
While Samsara officially supports Microsoft Entra and Okta as IdPs, you can also use many other identity providers that support the SAML 2.0 protocol. As other IdPs have not yet been tested, Samsara cannot ensure full compatibility at this time. To test an IdP on your own, create a SAML connection from the Samsara dashboard.
-
Verify Domains for Secure SSO Authentication.
You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.
-
Configure your desired SSO options:
Samsara recommends that you import the Samsara metadata SAML configuration instead of manual configuration, if you able to do so for your IdP.
-
Configure SAML attributes.
Name
Value
https://cloud.samsara.com/saml/attributes/email
User's email
https://cloud.samsara.com/saml/attributes/name
User's name
-
Add the Samsara Admin as a user to the new application.
-
Exchange the metadata information from Samsara with the IdP to complete the configuration.
Just-in-Time (JIT) provisioning uses the SAML protocol to pass information from an IdP, such as Okta or Microsoft Entra, as a way to automate user account creation for various web applications. When a new user first signs in to an authorized application, such as the Samsara dashboard, the user triggers a flow of information from the IdP to the authorized app to automatically create their account, instead of requiring an admin to create an account for them.
When new admins that are set up to use your IdP to access the Samsara dashboard use SSO to sign in for the first time, the Samsara dashboard will automatically create an account with the least privileged role (Maintenance role), with tag access to the Entire Organization. If you want the admin to have a different role and tag, it is recommended you add or edit the new admin through a CSV with the correct role and appropriate tag access.
Comments
0 comments
Article is closed for comments.