Skip to main content

SAML Authentication

This document outlines the process to register DeployGate as a SAML app. This operation requires “Administrator” privileges


Enterprise plans support user authentication using SAML (Security Assertion Markup Language). Using user account information already registered with an organization’s authentication provider (IdP: Identity Provider), Single Sign-On to DeployGate is available.

DeployGate is a SAML 2.0 compliant service provider (SP) and can be integrated with various authentication providers, including Google Workspace, OneLogin, and Microsoft Entra ID (Formally known as Azure AD).

This document outlines the steps to set up SAML authentication with the various authentication providers.

Authentication methods cannot be combined

When enabling SAML authentication, all of the Enterprise’s accounts will switch to a dedicated login screen for user authentication. Please note that this cannot be used in conjunction with Google Workspace authentication or standard DeployGate login methods.

Enabling SAML authentication

Both DeployGate and IdP must be properly configured to enable SAML authentication. Because the terminology for SAML authentication settings varies by the IdP, the following is a general overview of a typical process. Please make sure you read and understand the details of each IdP setting before proceeding with the configuration. We have specific configuration instructions for major IdPs, including Google Workspace and Microsoft Entra ID, so please refer to those documents for more details.

To enable SAML authentication, open the Enterprise Admin Console’s settings page. Then, select “Authentication” from the left menu and select Enable SAML authentication from the SAML Authentication section.

ScreenShot of Google Workspace

A settings wizard will appear and will guide you through the set up process, so enter the information required for SAML authentication into the form.

ScreenShot of Google Workspace

In the Your IdP Settings section, enter the IdP’s information to proceed with the integration with DeployGate. The information in this section is unique to each IdP and is typically provided by the IdP. This information is displayed when adding an SAML app in Google Workspace or when registering an app in OneLogin. (For details, please see the specific tutorials)

SettingsDescription
IdP NameThe name of the authentication provider that is displayed to members. The name can be anything, so we suggest a clear and descriptive name. It can be a service provider, such as OneLogin or Google Workspace, or “XX Company’s Google Workspace account.”
IdP Entity IDThe Entity ID provided by the IdP. The IdP typically provides this as part of the SP’s settings information.
SSO (Single Sign-On) URLThe URL for the IdP’s login screen. The IdP typically provides this as part of the SP’s settings information.
SLO (Single Logout) URLThe URL required to terminate IdP login sessions with SP-initiated SLO. The IdP typically provides this as part of the SP’s settings information.
IdP CertificateThe certificate that validates communication between the IdP and SP. Please use a X.509 format PEM file prepared by the IdP.

It’s also possible to autofill the fields by Importing a metadata file (XML). Please note that this overwrites manual entries. To save the settings, select the save button (for manual entries) or the import button (for imports).

The bottom of the screen will display DeployGate’s information, which is required for the IdP’s settings. Please configure the IdP settings with this information to complete the process.

SettingsDescription
ACS URLThe ACS (Access Control) URL provided by DeployGate.
SLO URLUnique ID that identifies DeployGate as an SP entity. This is equivalent to the download URL of DeployGate’s SP metadata file (XML).
SLO URLThe URL required to process logouts when using SP-initiated SLO or IdP-initiated SLO.
RelayStateThe value for IdP-initiated authentication. If this is not specified on the IdP side, only SP-initiated authentication will function.
SP-initiated SSO URLDeployGate’s dedicated login URL for the Enterprise.
Required AttributesThe names and values of the attributes required for authentication between the IdP and DeployGate. These attributes are required. If they are not provided, we do not guarantee any functionality and cannot provide support for operational issues.
DeployGate LogoDeployGate’s logo image. You can use this logo when registering DeployGate as an SAML app with the IdP.
NameID in IdP-initiated SAML authentication

Please select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent. It will not function properly with other formats.

Additional Attributes (claims)

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress URI is also available instead of email attribute.

Other Information

Please use the logo image as an icon in the IdP settings. The SP-initiated SSO URL is the URL of the page where members log in. Please share it with members as needed.

After configuring the IdP, clicking on “Enable SAML authentication” will redirect you to the IdP login screen. If the login is successful, you should be redirected to DeployGate. If you see a message that states the authentication was successful, the SAML authentication process is completed.

ScreenShot of Google Workspace

Transition period after enabling SAML authentication

The 14 days after enabling SAML authentication is a transition period, and passwords can also be used to log in during this time. However, even during this transition period, SAML SSO will take precedence for users who have enabled SAML integration for their account, and their passwords will be disabled.

Dedicated Enterprise Login Page

After enabling SAML authentication, an Enterprise will have a dedicated login page to log in to DeployGate. Please use the “SP-initiated SSO URL,” which is displayed during the SAML setup process on the DeployGate Settings page.

In most cases, the URL will be https: /deploygate.com/saml/login/[enterprise name].

ScreenShot of Google Workspace

Emergency Use: Password authenticated logins for accounts with Administrator privileges

When an Enterprise enables SAML authentication, the login authentication method will switch to SSO authentication via IdP for all Enterprise users. Logging in with a username and password will no longer be possible. However, as an exception, accounts with administrator privileges will retain the ability to log in with usernames and passwords even after enabling SAML authentication. This is to ensure that key personnel can address idP connectivity errors, configuration problems, or other issues that may require immediate attention. As such, please be mindful of managing administrator accounts. Only grant administrator privileges to necessary personnel and ensure that passwords are properly managed and protected.

This feature allows for a non-SSO authenticated login method for emergencies, such as during IdP connection failures

Only use password logins in an emergency. For all other times, use SSO authentication with the IdP. Also, please ensure that administrator accounts have strong passwords.

Changing the password for an administrator account

Enterprises with SAML authentication enabled will have all password settings and functionality disabled. To change the password of an account with administrator privileges, you must first log out. Then, use the password reset feature to update the password.

Depending on the circumstances in which SAML was enabled, it may not be possible to perform a password reset through conventional means. This can happen if an account becomes a dedicated Enterprise account. If this is the case, you will see an error message that asks you to contact user support. We apologize for the inconvenience, but please contact user support for assistance.