Home
User Guides
  1. Manage Observe
  2. Manage users and access

Configure single sign-on

Single sign-on (SSO) is an authentication method that allows users to sign in to multiple independent software systems, using one set of credentials. Observe supports a number of SSO providers via the SAML 2.0 protocol. For instructions on how to configure your SAML identity provider to work with Observe, follow the provider-specific instructions below. If your SSO provider is not listed below, please contact Observe Support for further assistance.

Using friendly stem names in addition to or instead of customer ID based URLs increases the complexity of SSO configuration, and may require further configuration choices.

📘

Note

NOTE THE CERTIFICATE EXPIRATION DATE! If this is your first time configuring Observe to use SAML for authentication, the certificate issued by your IDP will eventually expire. If you previously configured other SAML apps, the certificate may be an older one. Observe does not currently warn about the expiration date. When this certificate expires, your SAML integration stops functioning.

Single sign-on providers

Single sign-on is available with Observe and the following providers:

Disabling users in your identity provider

What happens in Observe when you disable a user in your identity provider you've integrated with observe using SAML? The answer varies depending on whether or not you have SCIM set up for user provisioning.

Disable a user without SCIM

If you have SAML integration and disable a user in your own identity provider, without making any changes in Observe, and without SCIM set up, logged in users will be able to continue to use the product until their token expires and they need to sign in again and go through the IDP, at which point the IDP will block them.

Any content the user created in Observe remains in the system and is not deleted.

Disable a user with SCIM

If you have SAML integration and disable a user in your own identity provider, without making any changes in Observe, and you have SCIM set up, your identity provider makes a request to Observe to disable the user on Observe's side.

A disabled user's tokens no longer work and the user will be unable to use the product. The user still appears on the Users page and can be managed like any other user, for example, get added to a group.

When a disabled user is re-enabled, everything will work just as it did before the user got disabled.

Any content created by a disabled user remains in the system and is not deleted.


Updated 5 days ago