Manually managing dozens of users across tools and platforms is a hell of a job. This is when single sign-on (SSO) steps in by centralizing access management.
Single sign-on via Google and Microsoft accounts with the ability to enable and disable authentication methods is available to all customers.
In addition to that, our Pro plan includes SAML SSO — making it possible to connect Fibery to Okta, Azure, OneLogin, or a custom identity provider (IDP) and provides SCIM endpoint to handle automatic user provisioning/deprovisioning.
Workspace Settingsthe top left menu.
SAML SSOauthentication method.
Paste the URL and the certificate provided by the IDP (ex. Okta).
(optional) Enable just-in-time provisioning to create Users in Fibery automatically on sign-in instead of inviting them manually in advance.
Feel free to disable all the alternative authentication methods for extra security.
Once you enable and configure SAML SSO, a new button appears on your Workspace login page:
Once a user clicks this button, they are redirected to the IDP login before continuing to their Workspace.
The global login page doesn't know anything about the IDP of your particular Workspace, so please navigate directly to your.fibery.io to sign in with SSO.
Step 1. Create a new Okta app:
Create App Integration.
SAML 2.0as sign-in method, click
Step 2. Make it a Fibery app.
Name the App
Fibery (Workspace Name)if your organization has multiple Workspaces.
Upload the logo.
Step 3. Configure SAML basics.
Single sign on URLand
Audience URI(you can copy this URL in the
Workspace Settingsin Fibery).
Name ID format
Leave the last option as
Create and update
Step 4. Configure optional SAML attributes to set Users' names (not just emails) via JIT provisioning.
Go to the next step.
Step 5. Provide feedback (if you'd like to) and finish Okta app creation.
I'm an Okta customer adding an internal app.
(optional) Provide feedback to Okta and finish the setup.
Step 6. Grab the URL and the certificate and paste them into Fibery.
View Setup Instructions for SAML 2.0.
Copy first the URL (1) and then the certificate (3).
Paste them into Fibery SAML SSO configuration.
Configuring another identity provider
If you use another IDP and their guide is of no help, please reach us via Intercom — we'll make it work together. Once we do, a new section will appear in this guide :)
Fibery provides SCIM endpoint which can be used by SSO providers to update users' status, i.e. add new users to a workspace or deactivate existing ones.
Step 1. Make sure
JIT provisioning is disabled in the
Workspace settings in Fibery as SCIM handles the same thing but provides automatic de-provisioning as well.
Rest of configuration is done on OKTA's side.
Step 2. Navigate to the existing app
Step 3. Edit it and enable
SCIM provisioning, save changes:
Step 4. Open the
Provisioning tab and fill out details:
SCIM connector base URL:
https://<your-account-name>.fibery.io/api/scim/v2 (URL is also available in
Workspace Settings in Fibery)
Unique identifier field for users:
Supported provisioning actions: check
Import New Users and Profile Updates,
Push New Users,
Push Profile Updates
Authorization: Provide your API token, note you need to be an admin in the workspace
Please note that integration is set up on behalf of a specific user. As for safety precautions, Fibery will not deactivate this user based on SCIM request so that API token stays valid. If a user needs to be deactivated be sure to update API token first.
Step 5. Navigate to
To App section in the left menu and enable
Create Users and
Deactivate Users options, save changes.
Now all users who are assigned to the application in Okta will be automatically created in Fibery and all users deactivated or unassigned in Okta will also be deactivated in Fibery.
Step 6 (optional). Sync assignments between Fibery and Okta
This step can be safely skipped if your workspace doesn't have other users yet.
But if there are existing users in Fibery who are also assigned in Okta before SCIM was set up you need to run the
Import now command on the
Import tab in Okta to "match" them between systems to enable future deactivations to be handled correctly.
In this scenario, Fibery serves as the source of truth for assignments. That means that if some assignments were present in Okta but not in Fibery they would be automatically removed from the app in Okta. And if Fibery had more assignments then there will be a prompt to create new assignments in Okta. Matching assignments will be "linked" automatically during import.
Things fail sometimes and if this happens to SCIM endpoint then Okta stores actions to be performed on the