App

SAML

Note

SAML single sign-on is only available on the Enterprise plan

Overview

Spur supports Enterprise SSO via the SAML protocol, enabling you to integrate with your existing Identity Provider like Okta Workforce, Microsoft Azure AD, and Google Workspace to manage logins to your Spur account.

Prerequisites

Before setting up SAML SSO, ensure you have:

  • An Enterprise plan subscription.
  • Admin access to your Identity Provider.
  • Admin role in your Spur organization.

Configuring SAML SSO

  1. Navigate to Settings > General.
  2. Under the "Authentication" section, click Configure next to "SAML".

Configuration steps for SAML SSO vary depending on your Identity Provider. Below are guides for setting up SAML with Microsoft Entra ID and Okta Workforce. For other providers, please refer to their documentation.

Microsoft Entra ID

  1. 1
    Configure SAML application
    1. In the Microsoft Entra admin center, navigate to Enterprise applications and select New application, then click Create your own application.
    2. Select Set up single sign on.
    3. Select SAML to open the SSO configuration page.
    4. Set the Reply URL to the value of the Assertion Consumer Service URL in the SAML Configuration section of your Spur organization.
    5. Set Identifier to the value of the Entity ID in the SAML Configuration section of your Spur organization.
    6. Verify that the attribute mappings are correct.
    7. Download the certificate and copy the required URLs from Microsoft Entra ID for the next step.
  2. 2
    Configure Microsoft Entra ID as your Identity Provider
    1. Navigate back to the Spur Dashboard, where you should still have the SAML configuration page open. If not, navigate to Settings > General and click Configure next to "SAML".
    2. Enter Microsoft Entra ID's Login URL as the SSO URL in the Identity Provider Configuration section.
    3. Enter Microsoft Entra ID's Microsoft Entra Identifier as the Entity ID.
    4. Upload Microsoft Entra ID's Certificate (Raw) as the Certificate.
    5. Click Save Changes to complete the setup.
  3. 3
    Enable the connection

    To make the connection available for your users, click the "Enable SAML" button at the top of the page.

Okta Workforce

  1. 1
    Configure SAML application
    1. In your Okta dashboard, navigate to Applications and select Create App Integration.
    2. Select App Integration.
    3. In the Create a new app integration modal, select the SAML 2.0 option and select the Next button.
    4. Once redirected to the Create SAML Integration page, complete the General Settings fields. App Name is required (e.g. "Spur").
    5. Paste the Assertion Consumer Service URL from the Spur Dashboard into the Single sign-on URL field.
    6. Paste the Entity ID from the Spur Dashboard into the Audience URI (SP Entity ID) field.
  2. 2
    Map Okta claims to Spur attributes

    Mapping the claims in your Identity Provider (IdP) to the attributes in Spur ensures that the data from your IdP is correctly mapped to the data in Spur.

    1. In the Okta dashboard, find the Attribute Statement (optional) section.
    2. For the Name field, enter mail.
    3. For the Value field, choose user.email from the dropdown.
    4. Select the Add another button to add another attribute.
    5. For the Name field, enter firstName.
    6. For the Value field, choose user.firstName from the dropdown.
    7. Select the Add another button to add another attribute.
    8. For the Name field, enter lastName.
    9. For the Value field, choose user.lastName from the dropdown.
    10. Scroll to the bottom of the page and select the Next button to continue.
    11. You will be redirected to the Feedback page. Fill out the feedback however you would like and select the Finish button to complete the setup.
  3. 3
    Configure Okta as your Identity Provider

    Once you have completed the setup in Okta, you will be redirected to the application instances page with the Sign On tab selected.

    1. Under the Sign on methods, copy the Sign on URL and Issuer, and download the Signing Certificate.
    2. Navigate back to the Spur Dashboard and find the Identity Provider configuration section.
    3. Paste the Sign on URL into the SSO URL field.
    4. Paste the Issuer into the Entity ID field.
    5. Upload the Signing Certificate into the Certificate field.
    6. Click Save Changes to complete the setup.
  4. 4
    Enable the connection

    To make the connection available for your users, click the "Enable SAML" button at the top of the page.

Other Identity Providers

Spur supports all Identity Providers that support the SAML 2.0 protocol.

  1. 1
    Create a new enterprise application in your Identity Provider

    Create a new application in your Identity Provider (IdP). In the next steps, you'll configure your IdP with the settings provided by your Service Provider (Spur), and configure Spur with the settings provided by your IdP. Keep both the IdP and Spur Dashboard open.

  2. 2
    Configure your Service Provider

    To configure your Service Provider (Spur), your Identity Provider (IdP) will either ask for the Assertion Consumer Service (ACS) URL and Entity ID or it will ask for the Metadata URL. If your IdP gives you the option to choose between the two, it is recommended to choose the Metadata URL as it is the quickest and most reliable way to configure your Service Provider.

    Here is what these settings mean:

    • Assertion Consumer Service (ACS) URL - This is your application's URL that your IdP will redirect your users back to after they have authenticated.
    • Entity ID - This is a unique identifier for your SAML connection that your IdP application needs.
    • Metadata URL - This is the URL to your SAML connection's metadata file. This is the recommended way to configure your Service Provider.

    To find the values for these settings:

    1. In the Spur Dashboard, on the SAML configuration page, find the Service Provider Configuration section.
    2. Copy the values you need for your IdP.
    3. In your IdP dashboard, paste the values in the appropriate fields.
  3. 3
    Configure your Identity Provider

    You will need to input the following configuration settings provided by your Identity Provider (IdP) into the Spur Dashboard:

    • SSO URL - This is your IdP's URL that Spur will redirect your users to for authentication.
    • Entity ID - This is the unique identifier of your IdP application.
    • Certificate - This is the certificate needed for Spur to securely connect to your IdP.
    1. In your IdP dashboard, find these values and copy them.
    2. In the Spur Dashboard, find the Identity Provider Configuration section, paste the values in the appropriate fields, and upload the certificate.
    3. Click Save Changes to complete the setup.
  4. 4
    Enable the connection

    To make the connection available for your users, click the "Enable SAML" button at the top of the page.

Domain Management

When setting up SAML SSO, Spur automatically handles domain conflicts:

  • If your organization has a verified domain that matches your SAML domain, it will be automatically removed
  • This ensures SAML authentication takes precedence for your domain
  • Users with your domain will be redirected to your Identity Provider for authentication

Managing SAML Connection

Disabling SAML

To temporarily disable SAML without losing configuration:

  1. Go to Settings > General.
  2. Under the "Authentication" section, click Configure next to "SAML".
  3. Click Disable SAML.
  4. Users can still log in with email/password during this time.

Updating Configuration

To modify SAML settings:

  1. Update the relevant fields in the SAML configuration form
  2. Click Save Changes
  3. Changes take effect immediately for new login attempts