Skip to main content

SSO Access Control

In the Spot console, you can enable single sign-on (SSO) for your organization.

Identity Providers

You can use these identity providers with Spot:

Set Up SAML SSO in the Console

  1. In the Spot console, click the user icon user icon > Settings.

  2. Click Security > Identity Providers.

  3. Enter the:

    • Relay state: this is the Organization ID. It's used as the relay state configuration for the identity provider (used in IDP-initiated SSO).

    • Provider type: currently, the only supported standard is security assertion markup language (SAML).

    • Metadata: this is the data provided by the identity provider to sync the settings properly.

      important

      Only one certificate is supported. Before adding a new certificate to the metadata file (for example, when the old one expires), first remove the old certificate from your identity provider to ensure successful authentication.

    • User Default Organization Role: this is the role given to users who sign in using the Identity Provider (Viewer/Editor). Roles can be defined only by organization or by account, not both.

    • User Allowed Accounts: the accounts the user has access to (Default Account or All Accounts).

    View image

    SSO Access Control settings screenshot

Organization and Role Selection

If you want to define different user roles per account, you can choose the organization and role the user signs in with when signing in with SSO.

Configure the IDP to create a SAML response with the parameter OrgAndRole. When this is defined, the user must select an organization and role when signing in.

Disable SSO

You can ask to disable SSO. Keep in mind, it will be disabled for your entire organization. This may be necessary if you’re having issues with your SSO configuration or IDP/certificate.

Any existing users and tokens in your organization will not be negatively affected after reenabling SSO. They just need to be added to your IDP (such as Okta). If they sign in using a different email address, they’ll be created as a new user with the default role and account access.

Contact customer support to disable SSO for your organization.