SafetyCulture
Last updated:

Set up single sign-on (SSO) with SafetyCulture

Learn how to set up single sign-on (SSO) for your SafetyCulture organization.

Why set up single sign-on?

Single sign-on (SSO) is a great way to mitigate site access risks and reduce password fatigue from different username and password combinations. With SafetyCulture, you can set up SSO with any authentication solution that utilizes the Security Assertion Markup Language (SAML) 2.0 standard. This includes some of the most common solutions such as Active Directory (ADFS, Azure), PingFederate, Google, and Okta.

Please note that our customer support team can only provide limited help for single sign-on and user provisioning. If your organization is on the Enterprise Plan, please contact your customer success manager for assistance.

How do I get started with single sign-on?

You just need to make sure your organization is on the Premium Plan or Enterprise Plan and that your single sign-on solution utilizes the Security Assertion Markup Language (SAML) 2.0 standard. If you're not sure, you can confirm with your IT team.

If your organization uses Azure Active Directory for single sign-on, and you want to set up JIT user provisioning, you can also refer to Microsoft's support article for instructions.

Please note that the Microsoft Gallery app currently doesn't support SCIM user provisioning.

What you'll need

Single sign-on connections are organization-specific. If you’re a part of multiple organizations and want to set up a single SSO connection for all your organizations, please contact your Customer Success Manager for assistance.

Single sign-on options

You can set up either SAML or ADFS SSO with one of the following options:

  • Service Provider (SP)-initiated SSO (recommended): A user that tries to log in via SafetyCulture will be automatically redirected to your company's SSO portal for authentication. A successful authentication will automatically redirect the user back to SafetyCulture.

  • Identity Provider (IdP)-initiated SSO: A user that tries to log in via SafetyCulture must start from your company's SSO portal for authentication. A successful authentication will take the user to SafetyCulture.

Set up single sign-on (SSO)

  1. Log in to the web app.

  2. Click your organization name on the lower-left corner of the page and select Organization settings.

  3. Select Security on the top of the page.

  4. Click Set up in the "Single sign-on (SSO)" box. Set up single sign-on (SSO) via the web app.

  5. Select which SSO connection you want to use and configure your connection accordingly.

  6. Click Complete setup.

  7. Click Close.

Configure Generic SAML

SafetyCulture uses Auth0 as the SSO broker, which requires the following settings:

  • Assertion-consumer Service URL (Application Callback URL)

  • Entity ID (Audience)

This information is provided during the SSO setup process within the SafetyCulture web app. If the Identity Provider offers a choice for bindings, you should select "HTTP-Redirect" for the authentication request.

An example of a SAML single sign-on setup on the web app.

Active Directory Federation Services (ADFS)

Active Directory Federation Services (ADFS) is a commonly used SSO solution that's created by Microsoft. ADFS manages authentication through a proxy service, hosted between a company's Active Directory and SafetyCulture.

ADFS Web Services Federation

Follow the instructions to connect SafetyCulture as an app to ADFS and apply the following settings where required:

  • Realm Identifier:

    urn:auth0:safetyculture

  • Relying Party Trust identifier:

    urn:auth0:safetyculture

  • Endpoint:

    https://safetyculture.au.auth0.com/login/callback

ADFS SAML WebSSO

Follow the instructions to add SafetyCulture as a relying party and apply the following settings where required.

  • Display Name:

    urn:auth0:safetyculture.au.auth0.com

  • Relying party trust identifier:

    urn:auth0:safetyculture.au.auth0.com

  • Post-back URL:

    https://safetyculture.au.auth0.com/login/callback?connection={name_provided_in_app}

  • Entity ID:

    urn:auth0:safetyculture

Frequently asked questions

Yes, you can restrict your organization's users to logging in via your SSO provider by setting your SSO login type to "Allow SSO login only".

It's likely that you haven't set the "email" attribute or claim in your SAML responses. Please check if you have an attribute called "email" in your SAML responses. If the email in the response isn't called "email", please rename the field to "email".

If the above steps still don't resolve the problem, please reach out to your point of contact from SafetyCulture for assistance.

Once the single sign-on for your organization is set up successfully, you can enable IdP-initiated login via the web app:

  1. Log in to the web app.

  2. Click your organization name on the lower-left corner of the page and select Organization settings.

  3. Select Security on the top of the page.

  4. Click Edit iconEdit in the "Single sign-on (SSO)" box.

  5. Turn IdP initiated login on. The Identity Provider (IdP)-initiated login setting for single sign-on with SafetyCulture.

  6. Click Save changes.

Please reach out to your point of contact from SafetyCulture for assistance.

No, you don't need to verify the email domains for your organization's SSO to work. However, if you want to use just-in-time (JIT) provisioning for your organization, you'll need to verify the email domains.

Need more help?
Email
Phone
Ask the community

Thank you for letting us know.

If you would like a reply from someone, please contact us atsupport@safetyculture.com.

In this article