Comment on page
Access Birdie using your Identity Provider (Okta, Microsoft Azure, Google workspace, etc...)
Prerequisites for SSO with Birdie:
- Your company’s identity provider (IdP) must support the SAML 2.0 standard.
- You must have admin permission on the IdP.
- You must be an admin of the Birdie organization you want to set SAML up on.
SAML-based Single Sign-On (SSO) gives members access to Birdie through an identity provider (IdP) of your choice.
Once you have configured SSO on your IdP, you can enter metadata. If the setup is successful, administrators will see a confirmation dialog and the URL of the SSO login for end-users will be displayed.
Please note that Birdie does not send announcement emails when the setup is complete. It is the responsibility of the administrator to notify company employees and provide them with the login URL so they can access Birdie via SSO.
Enable SAML-based SSO
You'll need the following from your IdP metadata to register a SAML provider:
- A label – this can be anything, it'll be displayed on the login page
- A domain name
- An entity ID
- A Single Sign On URL
- An X.509 certificate – make sure you copy and paste the whole certificate!
To set up Birdie as a service provider, most SAML 2.0 compliant identity providers require specific information. This information is unique to your Birdie account and can be found in Settings -> Security.
Most of these values can be copied directly into your IdP to complete configuration of SAML.
Birdie requires that the NameID contain the user’s email address. Technically we are looking for:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressas the Name-ID format – many providers (such as Google) will allow you set a format such as EMAIL.
Birdie will pull the following custom attributes from the SAML assert response and use them when creating the user.
To add members, create accounts for them in your IdP. The first time a new member logs in to Birdie via the IdP, a Birdie account will be automatically created for them through IdP provisioning.
Set-up requires lowercase email addresses. Do not use mixed-case email addresses.
When you remove a member from the Identity Provider (IdP), they will no longer be able to sign in to their corresponding Birdie account. However, this action will not delete the account from Birdie. To prevent further cookie-based access, we recommend that you manually remove the account from the member list in your Birdie Team settings page.
For security reasons, users who signed up for Birdie before the SSO was set up will need to log in using SSO.