Manually managing dozens of users across tools and platforms is a hell of a job. This is when single sign-on (SSO) steps in by centralizing access management.

Single sign-on via Google and Microsoft accounts with the ability to enable and disable authentication methods is available to all customers.

In addition to that, our Company plan includes SAML SSO — making it possible to connect Fibery to Okta, Azure, OneLogin, or a custom identity provider (IDP) and provides SCIM endpoint to handle automatic user provisioning/deprovisioning.

Configuring Fibery

  1. Navigate to Workspace Settings the top left menu.

  2. Enable SAML SSO authentication method.

  3. Paste the URL and the certificate provided by the IDP (ex. Okta).

  4. (optional) Enable just-in-time provisioning to create Users in Fibery automatically on sign-in instead of inviting them manually in advance.

Enable SAML SSO in the Workspace settings

Feel free to disable all the alternative authentication methods for extra security.

Signing in

Once you enable and configure SAML SSO, a new button appears on your Workspace login page:

SSO button on the login page

Once a user clicks this button, they are redirected to the IDP login before continuing to their Workspace.

The global login page doesn't know anything about the IDP of your particular Workspace, so please navigate directly to your.fibery.io to sign in with SSO.

Configuring Okta

Step 1. Create a new Okta app:

  1. Navigate to Applications.

  2. Click on Create App Integration.

  3. Pick SAML 2.0 as sign-in method, click Next.

Step 2. Make it a Fibery app.

  1. Name the App Fibery or Fibery (Workspace Name) if your organization has multiple Workspaces.

  2. Upload the logo.

Step 3. Configure SAML basics.

  1. Put https://YOUR_WORKSPACE.fibery.io/login/sso/saml2 in both Single sign on URL and Audience URI (you can copy this URL in the Workspace Settings in Fibery).

  2. Leave Default RelayState blank.

  3. Pick EmailAddress as Name ID format

  4. Pick Emal as Application username

  5. Leave the last option as Create and update

Step 4. Configure optional SAML attributes to set Users' names (not just emails) via JIT provisioning.

  1. firstName (Basic) = user.firstName

  2. lastName (Basic) = user.lastName

  3. Go to the next step.

Step 5. Provide feedback (if you'd like to) and finish Okta app creation.

  1. Pick I'm an Okta customer adding an internal app.

  2. (optional) Provide feedback to Okta and finish the setup.

Step 6. Grab the URL and the certificate and paste them into Fibery.

  1. View Setup Instructions for SAML 2.0.

  2. Copy first the URL (1) and then the certificate (3).

  3. Paste them into Fibery SAML SSO configuration.

Configuring another identity provider

If you use another IDP and their guide is of no help, please reach us via Intercom — we'll make it work together. Once we do, a new section will appear in this guide :)

SCIM endpoint

Fibery provides SCIM endpoint which can be used by SSO providers to update users' status, i.e. add new users to a workspace or deactivate existing ones.

Step 1. Make sure JIT provisioning is disabled in the Workspace settings in Fibery as SCIM handles the same thing but provides automatic de-provisioning as well.

Rest of configuration is done on OKTA's side.

Step 2. Navigate to the existing app

Step 3. Edit it and enable SCIM provisioning, save changes:

Step 4. Open the Provisioning tab and fill out details:

SCIM connector base URL: https://<your-account-name>.fibery.io/api/scim/v2 (URL is also available in Workspace Settings in Fibery)

Unique identifier field for users: email

Supported provisioning actions: check Import New Users and Profile Updates, Push New Users, Push Profile Updates

Authentication Mode: HTTP Header

Authorization: Provide your API token, note you need to be an admin in the workspace

Please note that integration is set up on behalf of a specific user. As for safety precautions, Fibery will not deactivate this user based on SCIM request so that API token stays valid. If a user needs to be deactivated be sure to update API token first.

Save changes.

Step 5. Navigate to To App section in the left menu and enable Create Users and Deactivate Users options, save changes.

Now all users who are assigned to the application in Okta will be automatically created in Fibery and all users deactivated or unassigned in Okta will also be deactivated in Fibery.

Step 6 (optional). Sync assignments between Fibery and Okta

This step can be safely skipped if your workspace doesn't have other users yet.

But if there are existing users in Fibery who are also assigned in Okta before SCIM was set up you need to run the Import now command on the Import tab in Okta to "match" them between systems to enable future deactivations to be handled correctly.

In this scenario, Fibery serves as the source of truth for assignments. That means that if some assignments were present in Okta but not in Fibery they would be automatically removed from the app in Okta. And if Fibery had more assignments then there will be a prompt to create new assignments in Okta. Matching assignments will be "linked" automatically during import.

Troubleshooting

Things fail sometimes and if this happens to SCIM endpoint then Okta stores actions to be performed on the Dashboard -> Tasks page.

Did this answer your question?