Configure single sign-on (SSO) using another IdP

Before you begin, make sure you have an Admin account (Viewer or Contributor) with Abstract.

Step 1: Configure SAML 2.0 for Abstract

Abstract supports SAML 2.0 protocol. If your IdP uses the SAML 2.0 protocol, you may be able to configure SSO in Abstract.

You may need to add the following information to your IdP:

Abstract’s EntityIdhttps://auth.goabstract.com
Abstract’s Assertion Consumer Service (ACS) URLhttps://auth.goabstract.com/saml/response
Audience Restrictionhttps://auth.goabstract.com

About SAML responses:

  • We currently only support HTTP:POST binding.
  • We are expecting an “email” Assertion Attribute, as shown below.

<saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">email@example.org</saml2:AttributeValue>
</saml2:Attribute>

Step 2: Set up SAML single sign-on in Abstract.

  1. Open the Abstract web app.
  2. Go to the Permissions page in the left side bar.
  3. In the Configure SSO section, enter your Metadata URL and Entity ID.
  4. Enter any manual exceptions you might have. Emails listed in the manual exceptions section will bypass SSO and be able to log in with email and password.
  5. Note: You’ll need to use primary email addresses in the manual exceptions list. SSO activation will fail if the email you list is a user’s secondary email. If that happens, you’ll see an error message with the primary email for the failing account. Add that primary email to the manual exceptions list after you’ve verified you know the user.
  6. Click Test with my Account. If the test fails, you’ll need to contact our support team to manually enable SSO.
  7. Toggle Activate SSO on. 
  8. Click Save Changes.