SAML single sign-on and SCIM provisioning

SAML-based single sign-on (SSO) gives Organizations the ability to provision member accounts and to manage access securely by integrating with their identity provider (IDP).

Configure SAML single sign-on using Okta
Configure SAML single sign-on using another IDP
Configure SCIM provisioning with Okta

Configure SAML single sign-on using Okta

Before you begin, make sure you have an Admin account (Viewer or Contributor)

Step 1: Configure SAML 2.0 for Abstract in Okta.

Search for Abstract in Okta Applications
  1. In Okta, search for “Abstract” on the Applications page. 
  2. Tap Add.
  3. While in Okta, locate and record your Metadata URL and Entity ID.

Step 2: Set up SAML single sign-on in Abstract.

  1. Open the Abstract web app.
  2. Go to the Permissions page in the left side bar.
  3. In the Configure SSO section, enter the Metadata URL and Entity ID you recorded from Okta.
  4. Enter any manual exceptions you might have. Emails listed in the manual exceptions section will bypass SSO and be able to log in with email and password.
    Note: You’ll need to use primary email addresses in the manual exceptions list. SSO activation will fail if the email you list is a user’s secondary email. If that happens, you’ll see an error message with the primary email for the failing account. Add that primary email to the manual exceptions list after you’ve verified you know the user.
  5. Click Test with my Account.
    Note: You may see an error message if one or more users are in multiple Abstract Organizations. You’ll need to ask those users to either leave their other Organizations or create a new account with their company email.
  6. Toggle Activate SSO on. 
  7. Click Save Changes.

Configure SAML single sign-on using another IDP

Abstract supports SAML 2.0 protocol. If your IDP uses the SAML 2.0 protocol, you may be able to configure SSO in Abstract.

Before you begin, make sure you have an Admin account (Viewer or Contributor) with Abstract. You may also need to add the following information to your IDP:

Abstract’s EntityIdhttps://auth.goabstract.com
Abstract’s Assertion Consumer Service (ACS) URLhttps://auth.goabstract.com/saml/response
Audience Restrictionhttps://auth.goabstract.com

Finally, two notes about SAML responses:

  • We currently only support HTTP:POST binding.
  • We are expecting an “email” Assertion Attribute, as shown below.
<saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">email@example.org</saml2:AttributeValue>
</saml2:Attribute>

How to configure SAML single sign-on using another IDP

To configure SAML single sign-on using another IDP:

  1. Open the Abstract web app.
  2. Go to the Permissions page in the left side bar.
  3. In the Configure SSO section, enter your Metadata URL and Entity ID.
  4. Enter any manual exceptions you might have. Emails listed in the manual exceptions section will bypass SSO and be able to log in with email and password.
    Note: You’ll need to use primary email addresses in the manual exceptions list. SSO activation will fail if the email you list is a user’s secondary email. If that happens, you’ll see an error message with the primary email for the failing account. Add that primary email to the manual exceptions list after you’ve verified you know the user.
  5. Click Test with my Account. If the test fails, you’ll need to contact our support team to manually enable SSO.
  6. Toggle Activate SSO on. 
  7. Click Save Changes.

Configure SCIM provisioning with Okta

Before setting up SCIM provisioning, you’ll need to configure SAML single sign-on using Okta. Additionally, you’ll need to generate a personal access token via the Abstract SDK, as well as a SCIM login JSON file.

Step 1: Configure API Integration in Okta.

Configure API Integration in Okta
  1. In Okta, go to the Settings page, and select API Integration.
  2. Click Configure API Integration.
  3. Check the box next to Enable API Integration.
  4. Enter the credentials you retrieved when generating a personal access token.
    Note: These credentials are different than what you use to log in to Abstract. 
  5. Click Test API Credentials.
  6. Click Save.

Step 2: Configure “Provisioning To App” Settings in Okta.

Configure “Provisioning To App” Settings in Okta
  1. In Okta, go to the Settings page, and select To App.
  2. Select which features you wish to enable:
    • Create Users
    • Update User Attributes
    • Deactivate Users
  3. Click Save.

Step 3: Assign the users you wish to provision.

On Assignments tab, click Assign button to start provisioning users.
  1. In Okta, go to the Assignments page. 
  2. Click Assign.
  3. Choose the users you wish to provision.

How to generate a personal access token

In order to set up SCIM provisioning, you’ll need to generate a personal access token.

To generate a personal access token:

  1. Login to Abstract’s web app with your Admin credentials.
  2. Visit Abstract’s Tokens page.
  3. Select Create API Token and follow the prompts.
  4. Next, open the Abstract web app to locate your Organization ID.
    Note: From the Abstract homepage, you can find your Org ID in the URL, e.g. https://app.goabstract.com/organizations/<org_id>/projects.
  5. Open a shell to run this curl command:
curl https://api.goabstract.com/organizations/<org_id>/generate_scim_login -H "Authorization: Bearer <personal_access_token>"

The returned JSON will include your username and password.