Search the docs

Getting Started

How to connect your SAML provider to Upscope

Upscope provides a generic auth provider for SAML2-based authentication. It allows you to connect any SAML2-enabled IdP system.

Upscope supports the following SAML services:

  • Identity and Service Provider initiated SSO

  • Identity Provider initiated SLO (Single Logout)

Connect your IdP to Upscope

To connect your IdP to Upscope, you’ll need to go to the SAML section of the membership settings. You’ll find these under General Settings »Team settings & SSO » SAML.

Change the Enable SAML SSO setting to Yes, then scroll to the bottom of the page to find the Configuration information. There, you’ll find the following:

SAML Consumer URL

Used to log you into Upscope. This could also be called Assertion Consumer Service

SAML Single Logout URL

Used to log you out of Upscope when you log out in your IdP

SAML Entity ID

This could also be called Metadata, and it identifies your Upscope team.

You’ll need to create a custom application in your IdP using the information above when asked. Your IdP will then provide you with either a XML file or a Metadata URL.

If you are given a Metadata URL, just enter it under the IdP Metadata URL setting on the Upscope website. If you are given a XML file, copy its content in your clipboard and then paste it into the IdP Metadata XML setting on the same page.

You can then Save the settings and SAML will be fully set up.

Options

In the SAML section, you’ll find the following options:

Automatically provision new SAML users?

You can set up Upscope to automatically create an account for people that log in with SAML, without needing to invite them manually. They will be given your default permission set (typically “start session” and “view user list”).

If set to no, and admin will need to invite new agents on the members page, before being allowed to log in.

Exclude root user from SAML SSO requirement?

If set to yes, the root user (aka Account Owner) will not be required to log in through SAML and can use a password or a magic link to log in. This is useful if you have an email address that is not part of your IdP that you use for your cloud ops.