Skip to main content
All CollectionsBilling & Org Settings
User-Managed SAML
User-Managed SAML

Setting up SAML SSO

Updated this week

SSO is only supported for PRO licenses

Epsilon3 Managed Configuration

There is a small amount of pre-setup that needs to be completed by Epsilon3 to map your domain. Before you get started, reach out to Support@Epsilon3.io with the domain(s) your organization will need to login with.

If you do not have a domain setup on our end you will see this message:

NOTE: A single organization can have multiple domains mapped, and a single domain may also be shared across multiple organizations.

User Managed Configuration

Creating a new IDP

The IDP team will need the Issuer (Also called EntityID) and the ACS Url (sometimes also called callback url). They will default to being the same value

Navigate to the Organization Settings screen by clicking the Workspace name in the top left corner and selecting the gear icon.

Click into the SAML section. Once there is a mapped domain the SAML configuration screen will look like this:

Click Add SAML Configuration.

  1. Verify available domains. Contact support to update what is available.

  2. Name: User-facing description of this IDP. The admin should refer to this the same way they refer to their IDP internally. OKTA, Azure, etc. If you have multiple IDPs, the names should help users distinguish which one they want.

  3. Description: Only displayed on this screen. Can be used for admins to store more information about the IDP.

  4. Domains: This determines which domains an IDP works for. IT SHOULD have at least one selected. In most cases, only one and/or all domains will be selected. If an org has multiple domains with a different IDP for each, that is where this selection may differ. This will default to all assigned domains. If you add a new domain after this has been configured, the admin will need to update this config.

  5. Entry Point URL: The IDP provides this. This is where we send users to sign in.

  6. Metadata URL: It may be useful to store this but it is not required.

  7. Issuer: We will auto generate one. Some IDPs will require us to set a specific value. This is also referred to as “EntityID” sometimes.

  8. Sign Out URL: Some customers have a security requirement that when they sign out of our system, we redirect them somewhere specific. This is not required.

  9. Certificate: This is provided by the IDP. This is how we know how to trust the messages from the IDP. Multiple may be added. This allows the IDP to change certs without users facing downtime. These should be in a PEM format which is text-based. Paste the cert in the field and hit add. IF it is valid, information about the cert will be displayed. If the cert is invalid, you will see an error and be able to remove it.

  10. Force Authentication: By default when a user is sent to their IDP, if they are already logged in to the IDP, they will be sent right back to us and signed in. If this box is checked, when we send the user to the IDP we will include a special flag that is supposed to require the IDP to challenge the user (re-prompt them for password) before sending the user back to us.

  11. Create Configuration

The new IDP will be displayed on the SAML page.

Test Login

Navigate to app.epsilon3.io and click Log in with SSO

Enter your SSO email and click continue. You will be redirected to your SSO login.

Users will still be able to login with a username and password. If you would like to disable that ability, reach out to Epsilon3 Support.

Other Questions

  • NameID - we require the user’s email as the name id.

    Format may be unspecified or email

  • Extra claims - we do not need or use any extra claims.

Deactivating / Removing an IDP

If you edit an IDP config and save it as inactive. You may go back in and delete it. This is a soft delete, but there is no way for the user to recover this record.

Related Articles
Jira Integration Users Guide
Issue Management
Epsilon3 Onboarding Guide
Did this answer your question?