JetBrains Space Help

SAML 2.0 Auth Module

SAML 2.0 authentication module lets you configure Space as a SAML Service Provider (SAML SP). SAML supports single sign-on (SSO) across multiple domains.

When you confugure and enable a SAML 2.0 authentication module in Space:

  • Space users will be able to log in to Space with the credentials that are managed in a specified third-party identity provider (SAML IdP).

  • Space users will have fewer accounts and passwords to remember.

  • New users with accounts in the connected service will be able create their own accounts in Space.

Single sign-on initiation

The SAML 2.0 authentication module supports both service-provider (SP) and identity-provider (IdP) initiation for single sign-on (SSO). The login request is based on where the user signs in to Space from.

  • If the user signs in through an external login portal or access management provider (for example, OneLogin), the request is initiated by the IdP.

  • If the user signs in by clicking the button for the IdP in the Space login page, the request is initiated by Space as SP.

To support this behavior, the RelayState parameter for your SAML IdP must be empty. If you set a value for this parameter in the configuration for your IdP, the redirection to Space results in a Can't restore state error.

Enable SAML 2.0 authentication

To enable SAML 2.0 authentication, configuration is required on both sides: the identity-provider (IdP) and Space. The actual setup procedure depends on the the identity-provider (IdP) you're going to use, but usually involves the following general steps:

  • In Space, start creating a new SAML 2.0 auth module. The New Auth Module form provides you with necessary parameters to configure your identity-provider (IdP).

  • On the identity-provider (IdP) side, set up a SAML identity service (application) using the information from the SAML 2.0 auth module form in Space, such as SP entity ID and ACS URL.

  • On both sides, configure the SAML attributes for user accounts.

  • In Space, specify the required parameters generated by the identity-provider (IdP), such as SAML SSO URL, IdP entity ID, IdP certificate fingerprint.

    If the IdP service does not provide a fingerprint of their certificate, create it applying SHA256. For example, you can use SAML Tool to create one.

  • In Space, activate the SAML 2.0 authentication module.

Example: Configure Okta as SAML Identity Provider in Space

There are many SAML-based Single Sign-On services you can use. In this example we'll configure Okta to work with Space as a SAML IdP. This instruction assumes that you have an account with Okta.

Get parameters from your Space SAML 2.0 auth module

  1. On the navigation bar, click administration.png Administration and choose Auth Modules.

  2. Click New auth module. The New Auth Module dialog opens.

  3. From the Type drop-down list, select SAML 2.0.

  4. Collect values from the following filds on the form:

    • SP entity ID
    • ACS URL

Set up a new SAML IdP application in Okta

  1. In a new browser tab or window, sign in to your Okta organization as an administrator.

  2. Create a new SAML application for Space service. Follow the Okta instructions to create it.

  3. Provide the values that you have gathered from your Space SAML 2.0 auth module:

    • Paste SP entity ID into the Audience URI field.

    • Paste ACS URL into the Single sign on URL field.

  4. Specify the following values for the fields:

    FieldValue
    Default RelayStateleave blank
    Name ID formatEmail Address
    Application usernameEmail

Set SAML attributes

  1. In Space, scroll down the SAML 2.0 auth module form to the Attributes section.

    SAMLattributes.png
  2. In Okta, locate the Attribute Statements section and add attributes. Specify the names to match the corresponding field names in Space and provide the following values:

    SAMLattributesOkta.png
  3. Click Finish when done to create your SAML application in Okta.

Provide Okta-generated parameters to Space and enable the module

  1. In Okta, go to the Sign On tab and click the View Setup Instructions button:

    OktaViewSetupInstruction.png

    A page with the parameters of your Okta IdP will open.

  2. Copy the values and paste them into the corresponding fields of the SAML 2.0 auth module form in Space:

    Okta Field NameSpace Field Name
    Identity Provider Single Sign-On URLSAML SSO URL
    Identity Provider IssuerIdP entity ID
    X.509 CertificateIdP certificate fingerprint

    To generate the fingerprint, copy the certificate from Okta, then in Space, click Upload X.509 certificate… and paste it into the pop-up window.

  3. Switch the SAML 2.0 auth module status to Active:

    SAMLactive.png
  4. Click Create to save your settings and enable the module.

Last modified: 15 December 2020