SAML single sign-on
To enable SAML single sign-on (SSO) for authentication to DX, you must update settings in your SAML identity provider (IdP) as well as your DX workspace.
In a SAML configuration, DX functions as a SAML service provider (SP). See below for links to documentation for common identity providers:
| SAML Provider | Documentation |
|---|---|
| Microsoft ADFS | Link |
| Microsoft Entra | Link |
| Okta | Link |
| OneLogin | Link |
| PingOne | Link |
| Shibboleth | Link |
Enabling SAML SSO
To enable SAML SSO, configure the Single-sign on URL and Audience URI—which you can access in the SAML SSO settings—in your IdP, then enter the metadata URI from your IdP in DX.
Below are detailed descriptions of these three values:
| Value | Other Names | Description | Example |
|---|---|---|---|
| ACS URL | Single-sign on URL | The location an Identity Provider redirects its authentication response to. | https://app.getdx.com/saml/acs/alazsZt7oh8xRbqK3nx0iwn5Xo41Lm |
| SP Entity ID | Audience URI, SP URL, audience restriction | Used to identify the issuer of a SAML request and the audience of a SAML response | https://app.getdx.com/saml/sp/GvlKAGFgllQ14qP6amC1Duf6JOxr1T |
| Metadata URI | IdP Metadata URI | URL where IdP publishes SAML metadata | https://app.onelogin.com/saml/metadata/a592596a-cfdb-3758-88d7-80b36a817128 |
When applicable, the nameID should be an emailAddress (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) and must contain an email address that matches what is in DX. If you need an email address to match based solely on the part of the email preceding @ with a set of allowlisted domains, please contact DX support.
Requiring SAML SSO
You can enable SAML SSO in your organization without requiring all members to use it. Enabling but not requiring SAML SSO in your organization can help smooth adoption. When SAML SSO is enforced, all other methods of authentication (e.g., passwordless email, Slack OpenID) are disabled.