JetBrains Space Help

SAML 2.0 Auth Module

SAML 2.0 authentication module lets you configure Space as a SAML Service Provider (SAML SP). SAML supports single sign-on (SSO) across multiple domains.

When you configure and enable a SAML 2.0 authentication module in Space:

  • Space users will be able to log in to Space with the credentials that are managed in a specified third-party identity provider (SAML IdP).

  • Space users will have fewer accounts and passwords to remember.

  • New users with accounts in the connected service will be able create their own accounts in Space.

Single sign-on initiation

The SAML 2.0 authentication module supports both service-provider (SP) and identity-provider (IdP) initiation for single sign-on (SSO). The login request is based on where the user signs in to Space from.

  • If the user signs in through an external login portal or access management provider (for example, OneLogin), the request is initiated by the IdP.

  • If the user signs in by clicking the button for the IdP in the Space login page, the request is initiated by Space as SP.

To support this behavior, the RelayState parameter for your SAML IdP must be empty. If you set a value for this parameter in the configuration for your IdP, the redirection to Space results in a Can't restore state error.

Enable SAML 2.0 authentication

To enable SAML 2.0 authentication, configuration is required on both sides: the identity-provider (IdP) and Space. The actual setup procedure depends on the the identity-provider (IdP) you're going to use, but usually involves the following general steps:

  • In Space, start creating a new SAML 2.0 auth module. The New Auth Module form provides you with necessary parameters to configure your identity-provider (IdP).

  • On the identity-provider (IdP) side, set up a SAML identity service (application) using the information from the SAML 2.0 auth module form in Space, such as SP entity ID and ACS URL.

  • On both sides, configure the SAML attributes for user accounts.

  • In Space, specify the required parameters generated by the identity-provider (IdP), such as SAML SSO URL, IdP entity ID, IdP certificate fingerprint.

    If the IdP service does not provide a fingerprint of their certificate, create it applying SHA256. For example, you can use SAML Tool to create one.

  • In Space, activate the SAML 2.0 authentication module.

Example: Configure Okta as SAML Identity Provider in Space

There are many SAML-based Single Sign-On services you can use. In this example we'll configure Okta to work with Space as a SAML IdP. This instruction assumes that you have an account with Okta.

Get parameters from your Space SAML 2.0 auth module

  1. On the main menu, click administration.png Administration and choose Auth Modules.

  2. Click New auth module. The New Auth Module dialog opens.

  3. From the Type drop-down list, select SAML 2.0.

  4. Collect values from the following filds on the form:

    • SP entity ID

    • ACS URL

Set up a new SAML IdP application in Okta

  1. In a new browser tab or window, sign in to your Okta organization as an administrator.

  2. Create a new SAML application for Space service. Follow the Okta instructions to create it.

  3. Provide the values that you have gathered from your Space SAML 2.0 auth module:

    • Paste SP entity ID into the Audience URI field.

    • Paste ACS URL into the Single sign on URL field.

  4. Specify the following values for the fields:



    Default RelayState

    leave blank

    Name ID format

    Email Address

    Application username


Set SAML attributes

  1. In Space, scroll down the SAML 2.0 auth module form to the Attributes section.

  2. In Okta, locate the Attribute Statements section and add attributes. Specify the names to match the corresponding field names in Space and provide the following values:

  3. Click Finish when done to create your SAML application in Okta.

Provide Okta-generated parameters to Space and enable the module

  1. In Okta, go to the Sign On tab and click the View Setup Instructions button:


    A page with the parameters of your Okta IdP will open.

  2. Copy the values and paste them into the corresponding fields of the SAML 2.0 auth module form in Space:

    Okta Field Name

    Space Field Name

    Identity Provider Single Sign-On URL


    Identity Provider Issuer

    IdP entity ID

    X.509 Certificate

    IdP certificate fingerprint

    To generate the fingerprint, copy the certificate from Okta, then in Space, click Upload X.509 certificate… and paste it into the pop-up window.

  3. Switch the SAML 2.0 auth module status to Active:

  4. Click Create to save your settings and enable the module.

Last modified: 07 July 2023