Overview
Sana Agents employs SAML for Single Sign-On (SSO) functionality, a feature integral to the platform. Sana Agents simplifies this setup by leveraging SAML Metadata files, ensuring a seamless integration experience. While we recommend providing a URL for configuration, please note that while most Identity Providers support this, some may not. Initially, the default assertion fields are sufficient for initiating SSO, but we advise customizing the Name ID before the first sign-in. To assist you in this process, our ACS test page allows you to review outcomes and adjust fields until you achieve your desired configuration.
Prerequisites
Owners access to your Sana Agents workspace.
Before enabling SSO in your workspace, you should set up Domain Control Verification (DCV). This ensures that users logging in through SSO have validated email addresses, which is necessary to have all features properly function.
For assistance with DCV setup, please refer to our help center article on Domain Control Validation.Permissions to administer applications in your identity provider.
Setup
Below we will provide you with generic instructions how to setup SSO in Sana Agents, where applicable we will also provide steps for some specific identity providers. Just expand the instructions for your specific identity provider.
Step 1 - Add a Single Sign-On configuration in Sana Agents
Log in as an owner to your Sana Agents workspace.
Navigate to Settings β Workspace settings... β General and scroll down to Sign in methods.
Click the Add method button and then select Single Sign On - SAML in the dropdown.
Expand the newly created sign in method to expose the configuration.
If you want, enter a name for your identity provider. If no name is provided "SSO" is used.
Click the Save button in the expanded sign-in configuration. Keep it disabled for now.
Step 2 - Create an application in your Identity Provider (IDP)
Create a new application specifically for Sana Agents within your IDP. Follow the instructions for your provider below.
Microsoft Azure / Entra
Microsoft Azure / Entra
In the search box, type "enterprise" and then click on the Enterprise applications result.
βClick the New application button in the top left.
Click Create your own application.
In the sidebar, type the name of the application and click the Create button at the bottom of the window. Make sure the third "Non-gallery" option is selected.
When the app has been created, click the Set up single sign on card.
Select SAML
Click the Upload metadata file button.
Browse to select the metadata file you just downloaded and the click the Add button.
In the sidebar that comes up, the urls have been pre-filled. Click the Save button and then close the sidebar.
A popup will appear asking if you want to test the configuration. Discard the popup.
In the third card named SAML Certificates, copy the App Federation Metadata Url to the clipboard.
Okta
Okta
Log in to the Okta admin dashboard. Navigate to the Applications page and click the Create App Integration button.
In the popup, select SAML 2.0 and click the Next button.
Enter a name for the application and click Next.
Paste the metadata url you copied from Sana Agents into the fields marked Single sign-on URL and Audience URI (SP Entity ID).
For Application username pick the one you think will change the least over time. If the username changes the user will receive a new account.
Make sure you have at least the following attributes configured. For more information on what attributes are available to configure see the Assertions section of this article.
Scroll down and click the Next button in the box marked B.
On the next page, click the Finish button.
When the application has finished being created, navigate to the Sign On tab.
Copy the metadata url.
Step 3 - Provide metadata to Sana Agents
Go back to the SSO configuration in Sana Agents.
Paste the metadata url you just copied in the previous step into the field labeled Identity provider metadata url (preferred).
Click the Save button in the expanded sign-in configuration. Keep it disabled for now.
Step 4 - Test sign in
Test the single sign on from your IDP to make sure everything works correctly before enabling it for all users.
Microsoft Azure / Entra
Microsoft Azure / Entra
After saving the metadata configuration. A popup will appear asking you to test the configuration. Click the Yes button.
Another sidebar will appear. Click the Test sign in button.
After selecting a user you should end up on the Sana Agents SAML test page (see below) if you left the SSO Configuration disabled. If you enabled it, you should now be logged in to the Sana Agents workspace. If you did not finish the DCV setup for your domain you will be asked to link your accounts.
Okta
Okta
Assign yourself to the application.
Go to your end user dashboard from the top right of the page.
Click on the application you created for Sana Agents.
After clicking the application you should end up on the Sana Agents SAML test page (see below) if you left the SSO Configuration disabled. If you enabled it, you should now be logged in to the Sana Agents workspace. If you did not finish the DCV setup for your domain you will be asked to link your accounts.
β
When testing sign in with a disabled configuration you should end up on the SAML test page. This page shows you if the assertions passed all checks, what attributes you have configured, and which ones are missing.
β
If you already enabled the SSO configuration in Sana Agents you will instead be signed in. If you were already signed in but did not finish the DCV setup you will instead see a page where you can link your already signed in account with the SSO account.
Step 5 - Add users
Assign users and groups to the application in your identity provider.
SCIM
If you want you can continue to setup SCIM which will automatically synchronize your users, making it possible to share content with them before they login.
Step 6 - Enable the SSO configuration in Sana Agents
Go back and tick the Enabled checkbox inside the expanded sign in configuration.
Click the Save button inside the expanded sign in configuration.
Reload the page, you should be asked to link your account with your SSO sign-in. Click the Sign in with <the name of your IDP> button. And follow the sign-in process of your identity provider.
Sign out from Sana Agents. You should end up on your workspace url with the sign in options where your new SSO configuration should be one of the options.
Step 7 - All done
The setup has been completed. You can start directing users to sign in with SSO. Users can sign in in two ways:
Your identity provider may list the available applications to a user, allowing the to sign in directly from there.
Through Sana Agents by visiting the workspace url and clicking the Sign in with <your IDP name> button.
β
Your workspace url is https://sana.ai/<workspace id>.
Assertions
Sana Agents recognizes several assertions, with the email and a special Name ID field being mandatory. Additionally, specifying the display name and image URL is recommended for enhanced functionality.
Name ID
The most important assertion is the ID you will represent the user with in our database. Often, email is used, but since the email address often changes, because of marriage, or mergers, we prefer if you use some sort of persistent ID. UPN (or User Principal Name) is better than email. In Azure, there is theuser.pairwise
which is the optimal assertion type/value for Name ID it is however not available to choose in the SCIM configuration, so use it only when SCIM is not to be used.
βEmail
The provision of an email address is required. We will retrieve it from the specified assertions, adhering to the following sequence:
β
Field names:
β
Display Names
The inclusion of a display name is discretionary, with retrieval from various assertion fields. Depending on the field, it may be sourced either directly or from pairs of fields. The fields will be attempted in the specified sequence below until a valid display name is obtained or all fields have been exhausted:
β
Field names:
βImage URL
This serves as a link to the user's profile picture. Please note that currently, the profile picture is only set upon user creation and will not be updated if changed thereafter.
β
Field name:imageUrl
βRole
This denotes the user's role within the product. If provided, it will override the user's default role upon login. Should you opt not to include the role field, access roles will need to be managed within the product. You can adjust this behavior as needed by either including or excluding this field from the assertion.
β
Field name:role
β
Available roles:βviewer
editor
owner
For further information about Sana Agents, please contact [email protected] via email.