Articles in this section
Articles in this section ▾
Configuring SSO in the Admin Panel
Configuring SSO with Okta
Configuring SSO with Google
Configuring SSO with OneLogin
Configuring SSO with Azure AD
Configuring SSO with ADFS
How to manage users via IdP sync - ELA only

Configuring SSO in the Admin Panel

The Admin Panel is a centralized tool to help Airtable admins manage their organization’s Enterprise account. This article is intended for Airtable admins looking to set up SSO when their teams log into Airtable.

NOTE

SSO is a feature only available for Airtable Enterprise payment plans. If you are interested in inquiring about Enterprise pricing, you can contact us here.

IN THIS ARTICLE

Prerequisite
Walkthrough
Troubleshooting tips

 

Prerequisite

Before adding your SSO metadata (sign-in URL and x509 certificate) via the admin panel, you need to first retrieve it from your SSO identity provider, following one of the following articles:

Walkthrough

After retrieving your organization's third-party SSO metadata, navigate to the Admin Panel and click on the Settings page in the navigation sidebar on the left. Next, click the SSO & Authentication tab.
admin_panel_SSO_find_early_2022.jpg

Under the SSO configuration section, you will see an option to “Add SSO identity provider." Clicking this will open up a configuration window.

admin_panel_SSO_config_window_early_2022.jpg

First, choose which domain this SSO configuration will map to. Clicking the down carrot will show all of the domains associated with your Enterprise account. 

NOTE

If you are expecting to see other domains listed, then you will need to reach out to your Airtable accounts representative to make any necessary changes.

Remember the prerequisite step at the beginning of the article? The next two steps will use that SSO metadata. First, you'll enter the sign-in URL of the third-party IdP. Second, you’ll need to paste in the x509 certificate:

admin_panel_SSO_URL_metadata_early_2022.jpg

The last box’s configuration is determined by which IdP provider you are integrating with Airtable. Okta and OneLogin configurations will need to be switched to “V1” in the dropdown. Other partner integrations will use the default “V2” option.

All that’s left to do now is click “Save.” This will open a pop-up asking you if you are sure about the changes. Click “Save” again to allow the SSO login configuration to occur. Changes may take a few minutes to show up.

After clicking save, the Settings page will reload. To log out all users associated with the configured domain and enforce SSO, please navigate back to the SSO & Authentication tab and toggle the switch under "SSO optional/required." Before requiring SSO for your own email domain, you must first log out and back in with SSO to verify that the metadata you've provided is correct.

admin_panel_SSO_configuration_saved_early_2022.jpg

From here you can also click “Edit metadata” if future changes are necessary or if you want to delete the configuration altogether.

 

Troubleshooting tips

  • The NameID must be the user’s email address
  • The NameID format can be EmailAddress or unspecified
  • After editing your identity provider metadata, the changes may take up to 5 minutes to take effect.
  • You can only add identity provider metadata for email domains federated under your enterprise account.
  • We only allow one set of identity provider metadata per email domain, globally. This means that if another enterprise account has already provided identity provider metadata for one of your email domains, you will need to talk to the admins of that account if you want to change the metadata.
  • If you are trying to switch SSO from optional mode to required mode for your own email domain after editing the SSO identity provider metadata, we require that you verify that the metadata values you've provided are correct, by first logging out and logging back in using SSO.

Was this article helpful?

Related articles