Single Sign-on
SAML SSO
Foresty supports SAML as a single sign-on solution. Multiple identity providers can be set up and enabled concurrently, allowing for easy certificate rotation.
Supported Identity Providers
- OneLogin
- Okta
- Auth0
- Ping Identity
- Azure Active Directory
- ADFS
Other identity providers can be configured, however official setup guides are not yet available.
Attributes
- FirstName
- LastName
- Teams (for Cloud Enterprise, as a list of TeamIDs)
- Memberships (for Private Enterprise, in the format of OrganizationID/TeamID)
Username, Name, and MemberOf are not used by Forestry but may still be sent.
The NameID format used by Forestry is urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
Debugging Mode
Debugging mode, useful when configuring a new identity provider, shows extended error messages and parsed attributes. It can be enabled within the identity provider settings page.
Configuration
Organization admins can setup identity providers through the organization settings.
Fields within the Identity Provider Settings should be configured using your existing SAML settings values.
After the provider has been created within Forestry, fields in the Service Provider Info section will need to be added to your SAML provider settings.
Make sure enabled is toggled on when you are ready to use the SAML provider.
Authentication
From the login screen, after you click Sign in with SAML SSO, the user will be prompted to enter their subdomain.
If only one SAML provider is configured within Forestry, it will immediately authenticate through SSO.
If multiple identity providers are configured, the user will choose their desired SAML provider
Caught a mistake or want to contribute to the docs? Edit this page on Github!