SAML/SSO with a generic or custom IdP
This section explains step by step how to configure SAML single sign-on (SSO) between Litmus and your custom identity provider (IdP).
Things to note
- New user seat creation is not supported via SAML. Users must be created within Litmus first and then authenticated via your IdP prior to logging into Litmus.
- Only the Litmus account holder will be able to access and configure SAML settings on an account.
- SSO with SAML can only be configured at the parent account level and is automatically applied to all subaccounts on your plan.
- SAML functionality is available with a Litmus Enterprise plan.
How to set up SAML/SSO with a generic or custom IdP
1. As the Litmus account holder, sign into Litmus, find Your Subaccounts in the side menu, then “Security” and finally the “SAML” tab in the popup window.
Short animation showing the Your Subaccounts category in Settings, the Security left menu option, and the SAML tab setting in Litmus
2. Toggle on “Enable SAML”.
3. If you would like your users to only access Litmus via SSO with your IdP solution, you can check the box “Force sign in with SAML”.
Note: When this option is active
- The main Litmus account holder will still be able to sign in to Litmus using their Litmus credentials via the Litmus login screen. This is to prevent the main account holder from getting locked out of full account administrative functionality. Other users will be forced to login via SAML.
- Password resets using the “Forgotten Password?” option on the regular Litmus login screen will be disabled for all users.
4. Select ‘Generic’ as your IdP.
5. Take note of the “Post-back URL (Assertion Consumer Service URL)” and “Audience URI (Service Provider Entity ID)”, as you will need these when configuring a new app for Litmus within your IdP solution.
6. Log in to your preferred Identity Provider as an administrator.
7. Following the IdP documentation, create an "app" that uses the Post-back URL and the Audience URI from step 5. If you have the option to upload a Litmus logo as an app icon, you can find one here.
8. Configure the IdP application to allow access to all the relevant users within the organization.
9. Once the app is created within your IdP solution, locate and copy the “single sign-on URL”. Then return to the SAML configuration page within Litmus (as outlined within step 1) and paste it into the “SAML 2.0 Endpoint (HTTP)” field.
10. Repeat the above process, but this time locate and copy the “X.509 Signing Certificate” from your IdP and paste it into the “X.509 Certificate” field on the SAML configuration page within Litmus.
11. Click the 'Save SAML settings' button at the bottom of the screen.