Setting up SAML SSO

A guide for system administrators to configure an enable SAML based SSO for their teams.

Who can use this feature? SSO is available on Enterprise plans You will need to have Administrator access to your company's IdP platform (Active Directory, Okta or similar)

Single Sign On (SSO) allows users to log into many applications or websites using an identity provider. Security Assertion Markup Language (SAML) is a security standard for managing authentication and access.

In a SAML SSO set-up, the identity provider manages the organisation's user accounts and credentials. The service provider (Aphex) is the app or website that provides services to the user or organisation.

When using SAML SSO, members are forced log in to their Aphex account using the organisation's identity provider.

How SAML SSO works:

  1. Member attempts to log in to Aphex with an email at a registered SAML SSO domain

  2. Aphex enforces login via SAML SSO

  3. Aphex sends a SAML request to the identity provider

  4. The identity provider checks this member's credentials

  5. The identity provider sends a response to Aphex to verify the member's identity

  6. Aphex accepts the response and logs the member into their Aphex account

  7. If the user is new, they will be provisioned in

Note: Aphex uses SAML 2.0 for all SAML SSO configurations. This includes configurations with supported identity providers and any custom configurations.

Like most software services, Aphex utilises "Email" as the unique identifier of a user.

Set up SAML SSO

The process for configuring SAML will depend on your specific identity provider. We've outlined the general process for implementing SAML SSO below.

SAML SSO only applies to users from the organisation's registered domains. Other users (from other domains) accessing the organisation's data in Aphex can continue to log in via other methods such as email + password or Sign in with Microsoft.

1. Confirm domains

Domains are the way we identify entities on the internet. They let Aphex know which authentication methods to allow or enforce for users.

Organisations can typically have a single domain however, we do support more than one domain, including subdomains.

For example: ACME Corp has three domains registered to their organisation: acme.org, acme-tesla-jv.com, and acjv.com.

Anyone with an acme.org, acme-tesla-jv.com, or acjv.com email address will be subject to the enforced SSO rules applied.

If you plan on using SAML SSO, you may want to consider sub-brands and joint ventures that your company controls. Be aware that email aliases will not work with SAML SSO.

2. Request SSO to be enabled on your domains

Contact your Account Manager or Customer Success Manager to request the SAML SSO setup for your domains.

Once approved, you will be provided with access to an SSO which will guide you through the set up.

3. Add Aphex to your identity provider

Within your company's identity provider, create or register a new enterprise application for Aphex. As you setup the SAML SSO for the application you will need to enter the information provided in the prior step.

When you add Aphex to your identity provider, they will provide you with;

  • Identifier (for example: Microsoft Entra ID Identifier)

  • Login URL

  • Logout URL (optional)

  • Certificate (in Base64, Raw or XML format)

Azure AD (Entra) customers can choose to simply provide their App Federation Metadata Url in lieu of the above.

You will need to save these and return them securely to your Aphex Account Manager or Customer Success Manager.

Certain services allow you to customise the logo of your Enterprise application. If so, you can use this logo here.

4. Assign selected user or group in IdP

Now that you have created the enterprise application, you need to assign your users/user groups to it.

  1. Under the Getting started section, select Assign users and groups.

  2. Select the Add user/group button.

  3. Under Users, select the None Selected link.

  4. In the search field, enter the user or group of users that you want to assign to the enterprise application.

  5. Select the check box next to the user or group that you want to assign.

  6. Select the Select button at the bottom of the page.

  7. Select the Assign button at the bottom of the page.

5. Configure Custom Claims

Aphex will expect three specific properties as part of the SAML SSO configuration. You can add these as custom claims in your IdP;

  • firstName: The user's fist name (For example this will be mapped to user.givenname in Microsoft Entra)

  • lastName: The user's last name (For example this will be mapped to user.surname in Microsoft Entra)

  • mail: The user's unique, primary email address (For example this will be mapped to user.userprincipalname in Microsoft Entra)

6. Test Connection

Once configured, the connection can be tested in a development environment with your Aphex Account Manager or Customer Success Manager.

7. Request Production Deployment

Once tested, your Aphex Account Manager or Customer Success Manager can deploy your SAML SSO configuration.

The next time users from your domains attempt to access Aphex they will be required to login again and the use of SAML SSO will be enforced (meaning they will no longer be able to use their prior authentication methods).

Last updated