Configure SAML SSO

What you will build

By the end of this tutorial, members of your workspace will be able to sign in using your organisation's Identity Provider (IdP), without a separate HOWLOPS password.

Time: approximately 15 minutes
Plan required: Enterprise
Prerequisites: Owner or Admin role in HOWLOPS; Admin access to your IdP

---

Concepts

The platform acts as a SAML 2.0 Service Provider (SP). Your IdP authenticates users and sends a signed SAML assertion back to the platform. You need to exchange two pieces of information between the SP (HOWLOPS) and the IdP:

• SP Metadata — tells the IdP how to address and sign responses for HOWLOPS
• IdP Metadata — tells HOWLOPS where to redirect users and how to verify assertion signatures

---

Step 1 — Retrieve your SP Metadata

1. In HOWLOPS, go to Settings → Security → Single Sign-On.
2. Note down (or copy) the following values:

Value	Where it goes
SP Metadata URL	Enter into your IdP to auto-configure
SP Entity ID	Enter manually into IdP if auto-config is unavailable
ACS URL	Enter manually into IdP if auto-config is unavailable

---

Step 2 — Configure your Identity Provider

Select your IdP:

Okta

1. In Okta Admin Console: Applications → Applications → Create App Integration → SAML 2.0 → Next.
2. App name: HOWLOPS (or any label). Click Next.
3. In the SAML Settings section:
   • Single sign-on URL (ACS URL): paste the ACS URL from HOWLOPS.
   • Audience URI (SP Entity ID): paste the SP Entity ID from HOWLOPS.
   • Name ID format: EmailAddress
   • Application username: Email
4. Click Next → Finish.
5. In the Sign On tab, click View SAML setup instructions and copy the IdP Metadata URL.

Microsoft Entra ID (Azure AD)

1. Azure Portal → Microsoft Entra ID → Enterprise Applications → New application → Create your own application.
2. Name: HOWLOPS, select Integrate any other application…, click Create.
3. Go to Single sign-on → SAML.
4. In Basic SAML Configuration:
   • Identifier (Entity ID): SP Entity ID from HOWLOPS
   • Reply URL (ACS URL): ACS URL from HOWLOPS
5. Save. Under SAML Signing Certificate, copy the App Federation Metadata URL.

Google Workspace

1. Google Admin Console → Apps → Web and mobile apps → Add app → Add custom SAML app.
2. Name: HOWLOPS. Click Continue.
3. Download the IdP metadata XML or copy the SSO URL, Entity ID, and Certificate.
4. In the Service provider details step:
   • ACS URL: paste ACS URL from HOWLOPS
   • Entity ID: paste SP Entity ID from HOWLOPS
   • Name ID format: EMAIL
   • Name ID: Basic Information > Primary email
5. Click Finish.

---

Step 3 — Complete SSO setup in HOWLOPS

1. Go to Settings → Security → Single Sign-On.
2. Paste your IdP Metadata URL into the field (or upload the XML file).
3. Enter your SSO domain — the email domain your users sign in with (e.g. yourcompany.com).
4. Click Save configuration.

---

Step 4 — Test the connection

1. Click Test SSO connection in HOWLOPS.
2. A new browser tab opens, redirecting you to your IdP login.
3. Log in with your IdP credentials.
4. If successful, you are redirected back with a green confirmation banner.

---

Step 5 — (Optional) Enforce SSO

Enforce mode blocks password-based login for all workspace members — everyone must authenticate through the IdP.

1. In Settings → Security → SSO, toggle Enforce SSO.
2. Click Save.

---

Troubleshooting

Problem	Likely cause	Fix
SAML response signature invalid	IdP certificate expired or metadata stale	Re-fetch metadata from IdP and re-save
Redirect loop on login	ACS URL or Entity ID mismatch	Check for trailing slash differences
User not found after SSO	Email in assertion does not match HOWLOPS account	Ensure IdP sends email as NameID
IdP metadata could not be fetched	Metadata URL unreachable	Upload XML directly
Members locked out after enforce	Members not in IdP	Disable enforce, provision users, re-enable

---

What's next

• Concepts: Plans & tiers — Enterprise plan features
• How-to: Rotate API tokens — manage API access