SAML

Teams on a Scale plan can configure SAML Authentication for their team.

By default, users who sign in through their organization's SAML Connection are granted Viewer membership. To elevate their permissions, a Team Admin must adjust their role via the Team Settings page in the Evervault Dashboard.

Prerequisites

The user configuring SAML from the Evervault Dashboard must be a team admin. You will also need admin access to your IdP to complete the setup from the provider.

Setup

1. Navigate to Team Settings -> Security in the Evervault Dashboard.
2. Click the "Configure" button next to "Single sign-on (SAML)" to begin configuring your SAML connection.

Okta

1. Use the SAML connection details from the Evervault Dashboard to create the connection within Okta.

2. Evervault requires that your IdP maps the account's email into the app attribute email. To configure this in Okta, navigate to Sign On -> SAML Attributes -> Profile attribute statements. Set the email attribute to the value user.email.

3. Return to the Evervault Dashboard's Security page. Input the Okta-generated sign-in URL and x509 certificate. The certificate may be in .PEM or .CER format. If you enable sign-out, you must also provide the Okta-generated sign-out URL.

Google

1. Input your SAML sign-in URL and upload your IdP's x509 cert in .PEM or .CER format. Optionally you can enable sign-out and provide a sign-out URL.
2. Press the "Create SAML Connection" button. After the Connection has been created successfully, you will see a "Configured" badge next to SAML settings.
3. Press the "Settings" button to view your Connection's metadata.
4. Evervault only requires a single SAML attribute mapping. To configure this, set the mapping of "Primary email" to the app attribute email. Below is an example of what this looks like when using Google as an IdP.