Beekeeper offers SAML-based single-sign on (SSO) which allows users to authenticate through your identity provider (IdP).
You can customise your SSO settings in the admin dashboard under Settings > General > Single Sign-On. There, you can determine which login methods are available for your users, change the text shown on your SSO login button, and configure your IdP’s SAML metadata.
Under ‘Enable Single Sign-On’, you can choose from the following authentication methods for your Beekeeper app:
- Disabled: this disables SSO, and allows only password-based login (using username, email or mobile number, and a Beekeeper password)
- SAML Single Sign-On: this allows only SSO-based login
- SAML Single Sign-On and Password based login: this allows a combination of SSO and password-based login (a useful option if not every user has access to your IdP)
Beekeeper Service Provider details
The details for Beekeeper as a SAML Service Provider are given below.
- ACS URL: https://your_company.beekeeper.io/saml/sso
- Entity ID: https://your_company.beekeeper.io/saml/sso/metadata.xml
- Name ID Format: Persistent
You can find the metadata for your Beekeeper app as a link in the admin dashboard, under Settings > General > Single Sign-On (the URL is the same as the Entity ID given above).
SSO and user synchronisation
One thing to note is that SSO is not user synchronisation. If a user successfully authenticates through SSO but does not yet have a Beekeeper account, one will be provisioned for them, automatically populated with values from the IdP.
You would still need to set up a user synchronisation method to keep your user data up to date. With SSO, user information is only checked upon login, which means that if you delete or suspend a user in your IdP, they will still have access to the app until they log out.
If you want to restrict access to Beekeeper and only allow a certain group of users to log in, you can do so within your IdP configuration.
I can’t see SSO option in admin dashboard: Please contact firstname.lastname@example.org or your Customer Success Manager to have the SSO feature enabled for your Beekeeper app.
I already have a Beekeeper account, but a new one is created when I login with SSO: If you login with SSO and find yourself with a different user profile, it is likely that the NameId configured from the IdP does not match your Beekeeper User-Id. Update the user IDs of all your existing users to match the NameId values that will be sent from the IdP before activating SSO.
I'm getting 400: Bad Request errors when syncing. What can I do? If you have previously generated a SAML Signing Certificate and since changed your mappings, it may be out of date and you should regenerate it (particularly if you are using Azure AD). Remember to refresh the metadata configured in the admin dashboard after creating a new certificate.