SAML SSO
Overview
Dust supports SAML Single Sign-On (SSO) to manage your team's access to our platform securely and effortlessly using your existing Identity Provider (IdP). This feature simplifies user management and enhances security by centralizing authentication.
Supported Identity Providers
While this guide focuses on generic SAML configuration, Dust works seamlessly with all major SAML-compliant Identity Providers including:
- Okta
- Azure AD
- Google Workspace
- OneLogin
Setting up SAML Single Sign-On (SSO)
To enable SSO for Dust using SAML, follow these steps to create a custom app integration in your Identity Provider (IdP).
1. Identify an Admin:
Choose an admin with comprehensive access to both your IdP admin dashboard and Dust admin. This is necessary as enabling SAML SSO requires creating a custom integration in your IdP.
2. Get Your Dust SAML Configuration Values
- In Dust, navigate to
Admin>Member Management>Single Sign-On>Activate Single Sign-On - You'll find all the necessary SAML configuration values that you'll need to set up your IdP:
- ACS (Assertion Consumer Service) URL
- Entity ID / Audience URI
Keep this page open as you'll need these values in the next step.
3. Create a Custom App Integration in your IdP
- Navigate to your IdP's admin dashboard and locate the section for creating new applications or integrations.
- Select SAML 2.0 as the protocol when creating a new application.
- Configure the following SAML settings using the values from Dust:
- Application Name: Enter "Dust" as the app name
- ACS (Assertion Consumer Service) URL: Copy from Dust
- Entity ID / Audience URI: Copy from Dust
- Logo:ย You can find our logoย here.
Keep your IdP configuration page open
You'll need to copy several pieces of information for the next step:
- IdP Single Sign-On URL
- IdP Entity ID
- X.509 Certificate
SAML Attributes Configuration
The following SAML attributes must be properly configured in your IdP for successful login. All attributes are required to ensure complete user profile information and proper system functionality.
Required SAML Attributes
-
Email
- Claim name:
email - Schema URI:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier - Used for user identification and authentication
- Must match the user's email address
- Claim name:
-
First Name
- Claim name:
given_name - Accepted Schema URIs (any of the following):
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennamehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- Sets the user's first name in Dust
- Claim name:
-
Last Name
- Claim name:
family_name - Schema URI:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname - Sets the user's last name in Dust
- Claim name:
Attribute Mapping Reference
For IdP administrators, here's the complete attribute mapping schema in JSON format:
{ "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "given_name": [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" ], "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" }
4. Enabling SAML Single Sign-On (SSO) in Dust
- Return to the Dust SSO configuration page (
Admin>Member Management>Single Sign-On>Activate Single Sign-On) - Enter the following details from your IdP setup:
- IdP Single Sign-On URL
- X.509 Certificate
Once you've entered this information, click on Create SAML Configuration. SAML SSO is now enabled on your workspace.
If Auto-join Workspace is enabled, all members attempting to log in to Dust using their enterprise email addresses will be automatically redirected to your IdP for authentication.
5. Enforcing SAML Single Sign-On (SSO) in Dust
After enabling SSO, you have the option to enforce it across the entire workspace. This means that users will no longer be able to log in using their social media accounts. Please note that enabling this setting will log out all users who are not currently using SAML, and they will be required to log back in using their IdP credentials.
Updated 2 days ago