Smartlook supports single sign-on (SSO) using the SAML 2.0 protocol. SSO will allow members of your organization to access Smartlook via the identity provided by your SAML identity provider.
Single sign-on configuration
To configure SSO you'll need the metadata of your SAML identity provider and access to your identity provider's configuration in order to upload Smartlook's SAML metadata. If you want to know how SAML works or need to brush up on these terms, you can read our overview of SAML at the bottom of this article.
To begin please open single sign-on section in Smartlook settings. If you cannot see this section you don't have sufficient permissions for SSO configuration in your organization. Please contact your organization's admin.
You can choose from three ways of uploading your SAML identity provider's metadata into Smartlook
- Providing the URL of your metadata XML file
- Uploading the contents of your metadata XML file
- Manually uploading the metadata fields required by Smartlook
If possible we recommend that you provide URL of your identity provider's metadata XML file. This can be done by clicking the Set metadata URL button in the Configuration section. If you provide the URL Smartlook can automatically renew your metadata in case they expire and you will not have to worry. In case the renewal fails, we will let you know by email.
You can also upload metadata file contents by clicking the Upload metadata button. This way we cannot automatically renew your metadata but we'll let you know by email so that you can upload new version.
You can check which metadata URL, if any, we'll be using and for how long your metadata will be valid in the middle of the Configuration section of your SSO settings page.
In case neither of the two methods above are applicable, you can manually fill in your metadata. You'll need to fill in entity ID (sometimes known as issuer), both login and logout endpoints and add at least one certificate of your SAML identity provider.
To finish the configuration, domains of your organization's member's emails are required, please fill in at least one email domain that members of your organization use into the Domains section. Please bear in mind that all users that enter email addresses with the domains you provide will be redirected to login at your identity provider.
The only thing that's left to do in Smartlook is to turn on SSO for your users by clicking the toggle at the top part of Configuration section. Now in case you haven't already configured Smartlook on your identity provider you need to either download Smartlook's metadata file or copy it's link. It can be found at the top part of the SSO settings section. Information about how to setup Smartlook SAML SSO with few common identity providers can be found in the next section. After this last step your single sign-on should be fully configured and working.
When SSO is turned on all members of your organization have to use SSO for login and registration. However admins can still log in via email and password. This means that if you make a mistake when configuring your single sign-on or your metadata expires your admins will still be able to access Smartlook and fix all issues.
Configuring Smartlook SAML for common identity providers
Smartlook has an official Okta integration in the Okta Integration Network. Follow Okta's documentation on how to add this application to your organization. Using the official Smartlook application is the easiest way to use Smartlook SSO with Okta.
To configure Smartlook SAML 2 with Azure AD please use our metadata file which can be found in single sign-on section of your Smartlook organization settings mentioned above. You also need to properly fill the User Attributes & Claims section of your Azure single sign-on configuration which is not filled from the metadata file. You need to add 2 new properties. First property has name
Attribute and value
user.userprincipalname. The namespace should stay blank. Second property has source set to
urn:oid:0.9.2342.19200300.100.1.3 and value should be the same as on the following screenshot:
After this your Smartlook single sign-on with Azure AD should be good to go.
SAML 2 overview
Security Assertion Markup Language (SAML) 2.0 allows organizations to manage identities that their members use to log into services they need. This means that your organization has complete control of user accounts and identities in your Smartlook organization.
How SAML 2.0 works is displayed on the following diagram:
In SAML the parties are known as identity provider, who manages the identities, and service provider, who provides service that users administrated by the identity provider consume. In our scenario you, or your authentication service, are the identity provider and Smartlook is the service provider.
As a user you must first request SSO login in Smartlook by pressing Company login button on Smartlook's login screen. This takes you to SSO login screen where you enter your company email address. Smartlook then matches this email to SSO configuration of your organization and redirects you to your company's login portal. After you log in the browser redirects you back to Smartlook which receives the authentication result from your identity provider and can use this to log the user into Smartlook as well. Since we know which organization you belong to we'll also automatically assign you to your Smartlook organization.