SAML/SSO with Azure AD
Account Holders have numerous security settings available in Litmus and options that protect users and content. You can configure SAML single sign-on between Litmus and Azure as the identity provider.
Before you start
- Only the Account Holder can access and configure SAML settings in Litmus.
- New user seat creation is not supported via SAML. Users must be created within Litmus first and then authenticated via your IdP prior to them logging into Litmus.
- SSO with SAML can only be configured at the parent account level and is automatically applied to all subaccounts on your plan.
NOTE: SAML functionality is available with Litmus Enterprise plans
Start with Litmus settings
Sign in to Litmus, find Your Subaccounts in the left menu, then Security and finally the SAML tab in the popup window.
Slide the Enable SAML toggle to on.
If you would like to require your users to only access Litmus via SSO, you can select the Enforce sign-in with SAML box.
NOTE: When this option is active, the main Litmus account holder will still be able to sign in to Litmus using their Litmus credentials via the Litmus login screen. This is to prevent the main account holder from getting locked out of full account administrative functionality. Other users will be required to log in via SAML. Password resets using the Forgotten Password? option on the regular Litmus login screen will be disabled for all users.
Select Generic as your IDP.
Name the application Azure AD.
Automatic Azure AD setup
Log in to Azure Active Directory Admin Center. Go to Enterprise Applications. Search for Litmus and choose it by selecting the app name.
Within the Litmus Application page in Azure, choose Single sign-on in the left-hand menu, then select SAML.
Allow our Entity ID and Assertion Consumer Service URL to be added automatically. Otherwise, use the following manual setup steps.
Continue with manual Azure AD setup
From Litmus, copy the Post-back URL (Assertion Consumer Service URL) value and add it in the Azure Step 1 Reply URL.
From Litmus, copy the Audience URL (Service Provider Entity ID) value and add it to the Azure Identifier.
Next, go to Step 3 in Azure, download the provided Certificate (Base64), and open it in your favorite text editor.
Copy all of the text from the Base64 certificate and paste it into Litmus under X.509 Certificate.
From Step 5, copy the Login URL found under Configuration URLs for the application in your Azure instance and add this as the SAML 2.0 Endpoint (HTTP) in Litmus
In Litmus, select Save SAML settings to finish your setup.
Test your connection
Make sure that you have a Litmus user with the same email address as the one you are logged into in Azure AD. If one does not exist, create a new user with that same email address. Select Test this application in Azure, then Sign in as current user.
If the test is successful you will be sent to your Litmus home page. Next, you can begin giving users permission to the Litmus platform from the Litmus Enterprise Application in Azure.
Select Users and Groups, then Add user. Email addresses for Litmus users must match the email addresses in your Azure AD account.