Using SAML for Single Sign-On (SSO) in xMatters

This article provides an overview of the available resources that can help you configure Single Sign-On (SSO) for xMatters using SAML. Single Sign-On allows users to log on to xMatters by authenticating with a 3rd-party service (your Identity Provider, or IdP) instead of typing their user name and password directly into xMatters.

This overview is intended for power users who are configuring xMatters to use an organization's existing SSO service. It describes where to find documentation about xMatters SAML requirements and provides links to resources on the internet that can help you learn more about configuring SAML. (It goes without saying, but we don't control the content of external links, so traverse the big wild internet at your own risk.)

SAML Overview

Not sure where to start? Take a look at these resources to get up to speed on SAML.

• Check out this SAML 101 video to learn the basics of SAML.

• Or, read the xMatters SAML overview to see how SAML concepts apply to xMatters.

Configuring SAML for xMatters

The xMatters online help contains everything you need to know about working with your Identity Provider (IdP) and setting up SAML in xMatters.

• For information about supported SAML settings, including IdP-initiation, encryption, and where to find xMatters metadata and assertion claim URLs, see xMatters SAML requirements.

• To learn more about the information that is required from your IdP, including the identity provider ID, audience, single sign-on URL, certificates, and user identification, see Identity Provider SAML settings.

• If you're an administrator who wants to learn how to configure SAML in the xMatters UI or how to enable native login for power users, see Configure SAML in xMatters.

• xMatters accepts X.509 certificates for SAML IdP settings, including PEM-, DER-, and CER-encoded certificates. You can upload or replace the active SAML signing certificate there yourself, or coordinate a scheduled update with support.

Note that xMatters does not support Just-In-Time (JIT) user provisioning via SAML. If you need automatic user and group creation or updates, use SCIM-based provisioning instead of relying on first-login creation from SAML assertions.

Troubleshooting SAML

There are many tools that can help you troubleshoot your SAML configuration. These tools allow you to decode encoded SAML responses, verify the XML structure of responses, and inspect response headers. We're not going to try to explain all this magic ourselves, but we wanted to point you to some great content on the web that can help you get started:

• Read an overview of how to get started troubleshooting SAML.

• Dig a little deeper and see how to use Firefox browser plugins to debug SAML.

• Install the SAML Tracer Firefox plugin to view SAML content in HTTP requests.