Contents x
    Configuring SSO in the Admin Panel
    • 23 Aug 2023
    • 4 Minutes to read
    • Print
    • Dark
      Light
    Contents

    Configuring SSO in the Admin Panel

    • Updated on 23 Aug 2023
    • 4 Minutes to read
    • Print
    • Dark
      Light
    Article Summary

    The admin panel is a centralized tool to help Airtable admins manage their organization’s Enterprise account. Learn how to set up SSO logins for your organization.

    Introduction

    Plan availabilityBusiness and Enterprise Scale only
    Platform(s)Web/Browser, Mac app, and Windows app
    Related reading

    Setting up SSO in Admin Panel

    Note 
    Before getting started, be sure your associated domain is added.

    As a prerequisite, you'll want to retrieve the SSO metadata (sign-in URL and x.509 certificate) from your SSO identity provider.
     
    Step 1: Navigate to the Admin Panel

    After retrieving your organization's third-party SSO metadata, navigate to the Admin Panel and click on the Settings page in the navigation sidebar on the left. Next, click Security & Authentication.

    Step 2: Adding SSO

    Next, provide your sign-in url, certificate and, click Save.

    Step 3: Choose the metadata version

    The last configuration step is to determine which IdP provider you are integrating with Airtable. Okta and OneLogin configurations will need to be switched to V1 option in the dropdown. Other partner integrations will use the default V2 option.

    Step 4: Save and next steps

    All that’s left to do now is click Save. This will open a pop-up asking you if you are sure about the changes. Click Save again to allow the SSO login configuration to occur. Changes may take a few minutes to show up.

    After clicking save, the Settings page will reload. To log out all users associated with the configured domain and enforce SSO, please navigate back to the SSO & Authentication section and check/uncheck the box under SSO required. Before requiring SSO for your own email domain, you must first log out and back in with SSO to verify that the metadata you've provided is correct.

    From here you can also click Edit if future changes are necessary or if you want to delete the configuration.

    Managing rotating SAML certificates

    Note
    For more information on how to obtain SAML (x.509) certificates from a specific IdP vendor, we suggest you consult one of the articles listed in the Introduction's Related reading section above.


    Step 1: Uncheck SSO required option

    Navigate to Admin Panel, click the Settings option on the left sidebar, then click the Security & Authentication tab. From here, make sure that the domain that you are updating has the SSO required checkbox unchecked.

    Step 2: Remove the previous certificate

    Click the Edit button under the SSO metadata column, then highlight and delete all of the previous SAML signing certificate, called the x.509 certificate in Airtable.

    Step 3: Get the new x.509/SAML certificate

    Access the new x.509 certificate from your IdP. In some cases, this may be referred to as a SAML signing certificate within the IdP that your organization uses. You'll want to copy this certificate for use in the next step.

    Step 4: Paste the content into Admin Panel

    Paste the contents of the new certificate that you just copied into the x.509 field in the metadata configuration window in Admin Panel. This information should already be blank after following Step 2 above. Click Save once the content has been pasted.

    (Optional)Step 5: Re-enable the SSO required option

    Recheck the SSO required option. In some cases, your organization may leave this off, in which case, you can skip this step.


    SSO dependencies

    • The NameID must be the user’s email address
    • The NameID format can be EmailAddress or unspecified
    • After editing your identity provider metadata, the changes may take up to 5 minutes to take effect.
    • You can only add identity provider metadata for email domains federated under your Enterprise account.
    • We only allow one set of identity provider metadata per email domain, globally. This means that if another enterprise account has already provided identity provider metadata for one of your email domains, you will need to talk to the admins of that account if you want to change the metadata.
    • If you are trying to switch SSO from Optional mode to Required mode for your own email domain after editing the SSO identity provider metadata, we require that you verify that the metadata values you've provided are correct, by first logging out and logging back in using SSO.

    FAQs

    Can I hold off on adding users to my Enterprise account until SSO has been enabled, or bulk deactivate?

    We support programmatic disabling/re-activating users via SCIM for Okta (and only Okta). For additional details and setup instructions, please read our support article.

    If SSO is enabled on an existing domain, how do I update it to a new domain?
    NOTE
    Keep in mind that admins may need to change the user's email in the IdP before the user can log in through the tile.

    Update user email addresses in the Admin Panel using these instructions and then have them sign into Airtable using their IdPs. After signing in, users should see their updated workspaces/bases and email addresses on the home screen.

    If Okta creates a duplicate account while attempting to update a domain, what do I do?
    1. Delete the new account
    2.  Update the old account’s email address in the Airtable Admin Panel or through the Enterprise API.
    3.  Have the user attempt to log in again through their IdP.
    Was this article helpful?
    What's Next