We recommend not to enforce SAML authentication until after verifying that Anodot SAML Authentication has been set up correctly.
To enable SSO Authentication, the Admin user must be the account owner of the organization's single sign-on service provider.
Note: If Okta is your IP service provider, see Configuring SAML 2.0 for Okta.
To enable Anodot SAML SSO
- From the Anodot Navigation Panel, click Settings > Authentication to open the Authentication page.
- In the Single Sign-On Configuration section, click the SAML option button to enable this option.
- To enforce SAML single sign-on, click the For Admin users... check box.
Note: The default is for SSO not to be enforced. Anodot recommends not to enforce SAML authentication until after verifying that Anodot SAML authentication has been set up correctly. As long as SAML SSO is not enabled, Admin users can by-pass SSO and, for example, if locked out can access the system using their Anodot password.
- In a separate window, open your organization's Single Sign-on Identity Provider.
- Copy the single sign-on Login URL and 509 Certificate.
- In Anodot, paste the single sign-on Login URL and 509 Certificate in the Login URL and 509 Certificate fields in the Identity Provider Details section (see above).
- In the Service Provider Details section, copy Anodot's Entity ID (issuer ID) and Assertion Consumer Service URL, and paste this data into your single sign-on provider.
- Use a browser incognito window to test that the SAML configuration has been completed successfully:
Login using the Login URL on the SAML page
Go directly to https://app.anodot.com
Anodot Service Provider Details
- Anodot supports the HTTP-POST binding for SAML2:
- Anodot requires the NameID Policy in Assertion Requests to be in email format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- Assertions must be signed.
- The digest algorithm used is: sha256
- For details about Anodot SP Metadata, click the More Details link (see screenshot above)