How to Connect Your SAML Provider
Connecting Your SAML Provider to UserView
UserView provides a generic auth provider for SAML2-based authentication, allowing you to connect any SAML2-enabled IdP system.
Supported SAML Features
UserView supports the following SAML features:
- Identity Provider (IdP) initiated SSO
- Service Provider (SP) initiated SSO
- Identity Provider initiated SLO (Single Logout)
- Automatic user provisioning via SAML attributes
- Permission synchronization via SAML attributes
Technical Specifications
| Specification | Value |
|---|---|
| NameID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| ACS Binding | HTTP POST |
| SLO Binding | HTTP Redirect |
Connect Your IdP to UserView
To connect your IdP to UserView, navigate to the SAML section of the membership settings in your dashboard. You'll find these under General Settings » Team settings & SSO » SAML.
- Change the
Enable SAML SSOsetting toYes. - Scroll to the bottom of the page to find the Configuration information, which includes:
Configuration Description SAML Consumer URL Used to log you into UserView. This could also be called Assertion Consumer Service (ACS). Uses HTTP POST binding. SAML Single Logout URL Used to log you out of UserView when you log out in your IdP. Uses HTTP Redirect binding. SAML Entity ID This could also be called Metadata, and it identifies your UserView team. - Create a custom application in your IdP using the information above. Your IdP will then provide you with either a XML file or a Metadata URL.
- If you are given a Metadata URL, enter it under the IdP Metadata URL setting on the UserView website. The metadata will be fetched automatically and kept up to date.
- If you are given a XML file, copy its content to your clipboard and paste it into the IdP Metadata XML setting on the same page.
- Save the settings, and SAML will be fully set up.
Options
In the SAML section, you'll find the following options:
| Option | Description |
|---|---|
| Automatically provision new SAML users? | Set up UserView to automatically create an account for users logging in with SAML, without needing manual invitations. They will receive your default permission set (or what you configure through SAML attributes). If set to no, an admin must invite new agents on the members page before they can log in. |
| Exclude root user from SAML SSO requirement? | If set to yes, the root user (Account Owner) will not be required to log in through SAML and can use a password or a magic link. This is useful if you have an email address not part of your IdP for cloud operations. |
| Update user data at login? | When enabled (default), user profile information (name, phone number, language) will be synchronized from SAML attributes each time the user logs in. |
| Update permissions at login? | When enabled, user permissions will be synchronized from SAML attributes each time the user logs in. This allows you to manage UserView permissions directly from your IdP. Disabled by default. |
SAML Attributes
UserView can read user information from SAML attributes in your IdP's response. Attribute names are matched flexibly, ignoring underscores and case (e.g., email_address, EmailAddress, and emailaddress are all equivalent).
User Profile Attributes
| Attribute | Description |
|---|---|
email or email_address | The user's email address. If not provided as an attribute, the NameID will be used (must be in email format). |
display_name, full_name, or first_name + last_name | The user's display name. If display_name or full_name aren't set, first_name and last_name will be combined. |
phone_number | The user's phone number. |
language | The user's preferred language code. |
visitor_list_regions | Comma-separated list of regions the user can view in the visitor list (these need to match the userRegion attribute passed at initiation). |
Permission Attributes
When Update permissions at login is enabled, you can control user permissions via SAML attributes. Set each attribute to true or false.
permission_can_use: User can start UserView sessions. Defaults totrueif not specified.permission_can_manage_content: User can remove visitor's data.permission_can_view_reporting: User can view reporting and usage analytics.permission_can_manage_users: User can manage the team's users.permission_can_manage_billing: User can pay for the team and manage the billing settings.permission_can_access_settings: User can access general settings and make changes.
This allows you to centrally manage UserView permissions from your identity provider, ensuring permissions stay in sync with your organization's access control policies.