Supported Features
Tubular currently supports the following features:
- Service Provider (SP) Initiated flow
Tubular does not support the following features:
- Identity Provider (IDP) Initiated Flow
- SAML JIT (Just In Time) Provisioning
Common Settings
SSO post-back up URL
https://tubularlabs.com/auth/oauth/login?connection=CONNECTION_NAME
Entity ID
urn:auth0:tubularlabs:CONNECTION_NAME
Considerations
- Your IDP must ensure a user is both authenticated and authorized before sending an assertion. If a user isn't authorized, assertions should not be sent. We recommend your identity provider redirects people to an HTTP 403 page or something similar.
The CONNECTION_NAME is a unique identifier for your connection. It should only contain alphanumeric characters and hyphens and must be less than 128 characters in length.
We recommend that you include your company name as a part of the connection name to ensure that the name is unique. For example, Acme Corp may name their connection Acme-Login.
If you plan on setting up a TEST or STAGING connection first, give it the same connection name in Tubular as you plan to use for your live connection.
Certificates
Tubular requires that the SAML response is signed, and you will need to paste a valid X.509 Certificate to verify your identity.
Your Signature Algorithm should be set to RSA-SHA256 with a Digest Algorithm of SHA256.
Attributes
NameID REQUIRED
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
Email Attribute REQUIRED
<saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xsi:type="xs:string">
userName@domain.com
</saml2:AttributeValue>
</saml2:Attribute>
First Name Attribute
<saml2:Attribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xsi:type="xs:string">
FirstName
</saml2:AttributeValue>
</saml2:Attribute>
Last Name Attribute
<saml2:Attribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xsi:type="xs:string">
LastName
</saml2:AttributeValue>
</saml2:Attribute>
Set up Tubular as a SAML 2.0 service provider (SP)
Once you’ve finished configuring your IDP, you can send over your connection details to your Customer Success Manager or our Support team to finalize integration of your IDP with Tubular. Send us over the following pieces of information that you should have saved from your steps above:
- The Connection Name you configured above.
- The SSO/Login URL. You can find this in the SingleSignOnService HTTP Redirect tag of your IDP-metadata XML file.
- The X.509 Certificate, the entire contents from your IDP or located in your IDP-metadata XML file. This is an X.509 Certificate that’s required for SSO setup.
Our team will then input these fields to make the connection to your IDP.
After your credentials are authenticated, you and all of your seat holders should now be redirected to sign in using your IDP when signing into Tubular Labs.
Once SSO is set up for your organization, it will be the only method your users can use to log into the platform. We don’t currently have the option for some users to still use a password for logging in after SSO is linked. User passwords will no longer be managed through Tubular. If a user attempts to reset their Tubular password, it will have no effect. Please refer your users to your internal help desk for assistance recovering their SSO account for your IDP.