Configure SAML single sign-on

Gives users access to 1Password SaaS Manager via your identity provider (IdP), such as Google Workspace or Okta.

SAML-based Single Sign-On (SSO) gives users access to SaaS Manager via your identity provider (IdP).

SAML-based SSO is ideal if you want everyone in your organization to be able to log in to SaaS Manager and you do not want to create user accounts manually. When a new user attempts to log in to SaaS Manager then - providing they have an account in your IdP - a SaaS Manager user account is created for them automatically. This is useful if you're using the App catalog to allow users to browse and get access to approved apps, or if you're using the browser extension to collect app usage data.

When SSO is enabled, users in your organization log in to SaaS Manager using the identity provider interface familiar to them, instead of the SaaS Manager login page. When a user tries to access SaaS Manager, they are automatically redirected to your IdP's login page. After they have authenticated, they are redirected to SaaS Manager. When users log in via SSO, authentication security is shifted to your IdP and coordinated with your other service providers.‌

SaaS Manager supports SAML-based SSO for all IdPs. Instructions on setting up the most common ones are provided in the next sections.

Prerequisites for SSO with SaaS Manager

• Your company’s IdP must support the SAML 2.0 standard.
• You must have administrator access to your IdP.

Setup for each IdP

Follow the specific steps for your IdP:

Change the default user role

The first time that an individual logs in to SaaS Manager using SAML-based SSO, a user account is created for them with the default user role. By default this is the App catalog role, but you can select a different default role from Settings > Users > Default role. 

For more information about the permissions associated with each role, see User roles.

To change a user's role after they have been created, open the People directory, select the individual, and  from the menu select Edit SaaS Manager access.

Enable other login options

When SAML-based SSO is enabled, new users must enroll to SaaS Manager via your IdP. If you need to grant access to someone who does not have an account in your IdP, such as an external contractor or auditor, you will need to add them to SaaS Manager manually and enable alternative login methods so that they can log in with an email address and password and/or SSO via OpenID Connect ("social login").

To enable alternative login options:

1. Navigate to Settings > Users to open the Users Settings page.
2. Under Single Sign-On expand SAML options.
   • To allow users to log in with their email address and password, select Allow password login.
   • To allow users to log in with an existing Google or Microsoft account, select Allow OpenID Connect.
3. Click Apply changes.

When manually-added users use the invitation link in the email notification, they are redirected to the SaaS Manager login page with the relevant options enabled.

Turn off automatic provisioning

SAML-based SSO is designed for auto-enrolling users to SaaS Manager. If you want to prevent new users from creating accounts and gaining access, you can turn off automatic provisioning.

To turn off automatic provisioning:

1. Open the Users Settings page.
2. Under Single Sign-On expand SAML providers.
3. In the table of SAML providers, click the menu icon for the relevant provider and select Edit. The Edit SAML Identity Provider dialog is displayed.
4. Clear Automatically provision users.
5. Click Save. The SAML settings are updated.

Existing SaaS Manager users will be able to log in via your IdP, but new users will not be able to create accounts in SaaS Manager. To create new users, either re-enable automatic provisioning or add users manually.

Remove SAML users

Removing a user account from the IdP will revoke that user's access to SaaS Manager, but will not remove the user account from SaaS Manager. As part of your user offboarding process, we recommend that you delete the user account from SaaS Manager as well. For more information, see Removing users.