SAML SSO

Guide

Configure single sign-on using Okta, Azure, OneLogin, or your custom identity provider.

Manually managing dozens of users across tools and platforms is a hell of a job. This is when single sign-on (SSO) steps in by centralizing access management.

Single sign-on via Google and Microsoft accounts with the ability to enable and disable authentication methods is available to all customers.

In addition to that, our Enterprise plan includes SAML SSO — making it possible to connect Fibery to Okta, Azure, OneLogin, or a custom identity provider (IDP) and provides SCIM endpoint to handle automatic user provisioning/deprovisioning.

Configuring Fibery

Navigate to Settings in the sidebar.
Enable SAML SSO authentication method.
Paste the URL and the certificate provided by the IDP (ex. Okta).
(optional) Enable just-in-time provisioning to create Users in Fibery automatically on sign-in instead of inviting them manually in advance.

Feel free to disable all the alternative authentication methods for extra security.

Signing in

Once you enable and configure SAML SSO, a new button appears on your Workspace login page:

Once a user clicks this button, they are redirected to the IDP login before continuing to their Workspace.

The global login page doesn't know anything about the IDP of your particular Workspace, so please navigate directly to YOUR_WORKSPACE.fibery.io to sign in with SSO.

Configuring Okta

Step 1. Create a new Okta app:

Navigate to Applications.
Click on Create App Integration.
Pick SAML 2.0 as sign-in method, click Next.

Step 2. Make it a Fibery app.

Name the App Fibery or Fibery (Workspace Name) if your organization has multiple Workspaces.
Upload the logo.

Step 3. Configure SAML basics

Put https://YOUR_WORKSPACE.fibery.io/login/sso/saml2 in both Single sign on URL and Audience URI (you can copy this URL in the Workspace Settings in Fibery).
Leave Default RelayState blank.
Pick EmailAddress as Name ID format
Pick Emal as Application username
Leave the last option as Create and update

Step 4. Configure optional SAML attributes to set Users' names (not just emails) via JIT provisioning.

firstName (Basic) = user.firstName
lastName (Basic) = user.lastName
Go to the next step.

Step 5. Provide feedback (if you'd like to) and finish Okta app creation.

Pick I'm an Okta customer adding an internal app.
(optional) Provide feedback to Okta and finish the setup.

Step 6. Grab the URL and the certificate and paste them into Fibery.

View Setup Instructions for SAML 2.0.
Copy first the URL (1) and then the certificate (3).
Paste them into Fibery SAML SSO configuration.

Configuring another identity provider

If you use another IDP and their guide is of no help, please reach us via Intercom — we'll make it work together. Once we do, a new section will appear in this guide :)

If you are using AD FS as an SSO provider, there might be a need to disable sending the RequestedAuthnContext flag, be sure to contact support in this case.

SCIM endpoint

Fibery provides SCIM endpoint which can be used by SSO providers to update users' status, i.e. add new users to a workspace or deactivate existing ones.

Step 1. Make sure JIT provisioning is disabled in the Workspace settings in Fibery as SCIM handles the same thing but provides automatic de-provisioning as well.

Rest of configuration is done on OKTA's side.

Step 2. Navigate to the existing app

Step 3. Edit it and enable SCIM provisioning, save changes:

Step 4. Open the Provisioning tab and fill out details:

SCIM connector base URL: https://<your-account-name>.fibery.io/api/scim/v2 (URL is also available in Workspace Settings in Fibery)

Unique identifier field for users: email

Supported provisioning actions: check Import New Users and Profile Updates, Push New Users, Push Profile Updates

Authentication Mode: HTTP Header

Authorization: Provide your API token, note you need to be an admin in the workspace

Please note that integration is set up on behalf of a specific user. As for safety precautions, Fibery will not deactivate this user based on SCIM request so that API token stays valid. If a user needs to be deactivated be sure to update API token first.

Save changes.

Step 5. Navigate to To App section in the sidebar and enable Create Users and Deactivate Users options, save changes.

Now all users who are assigned to the application in Okta will be automatically created in Fibery and all users deactivated or unassigned in Okta will also be deactivated in Fibery.

Step 6 (optional). Sync assignments between Fibery and Okta

This step can be safely skipped if your workspace doesn't have other users yet.

But if there are existing users in Fibery who are also assigned in Okta before SCIM was set up you need to run the Import now command on the Import tab in Okta to "match" them between systems to enable future deactivations to be handled correctly.

In this scenario, Fibery serves as the source of truth for assignments. That means that if some assignments were present in Okta but not in Fibery they would be automatically removed from the app in Okta. And if Fibery had more assignments then there will be a prompt to create new assignments in Okta. Matching assignments will be "linked" automatically during import.

Troubleshooting

Things fail sometimes and if this happens to SCIM endpoint then Okta stores actions to be performed on the Dashboard → Tasks page.

FAQ

If a company is on the Enterprise plan and has SSO enabled for the internal team and uses their corporate credentials, can the normal login with Fibery credentials be used by other users?

Admin has full control over what authentication method is used and you can work in combinations: SSO + Google, for example. But you can not configure that some sets of users can only use SSO but others can only use Microsoft accounts.

This means that there are still some limitations and potential conflicts.

Imagine you have a company and you use SSO. So you enable it, configure it, and use it in Fibery as well. Then some contractors or customers appear. You invite them to Fibery but you can't invite them to SSO. You have to enable some other option, in general case it would be email + password. But at the same time you want to restrict your employees from using email + password, only SSO. Sorry, that's not possible.

When users are created, what type of user are they created as?

They are created as Members.

If "Google account" is enabled, and a user account doesn't already exist for a user, what happens?

It will say that workspace is forbidden for this user. JIT provisioning is applicable only for SSO, usual Google Sign-in won’t trigger it.

I'm using third parties (like Zapier and Make.com) that push information into Fibery. Will those zaps stop working if we turn off the "Email and Password" authentication option?

Nope, everything will survive.

Does enabling SSO create new billable users?

No, enabling SSO by itself does not create new users or billable accounts. It simply adds an authentication method.

What happens if we enable SSO but disable both SCIM and JIT?

In that case, no new users will be created.
Users are only created if:

SCIM is enabled and syncing users, or
A new user logs in via SSO and JIT (Just-In-Time provisioning) is enabled.