How to configure SAML SSO with LinearB
Enterprise customers can enable a SAML SSO integration with LinearB. This integration is designed to work with SAML 2.0 service providers, including Okta and OneLogin.
How to enable SSO
Glossary:
IDP stands for an Identity Provider - examples of IDPs are Okta, OneLogin, etc.
SP stands for Service Provider - LinearB is the service provider in this situation.
1. Enable SSO in LinearB
To begin the SSO connection between your IDP and LinearB, go to Company Settings, and select the Single Sign On tab, click on the Set up SSO button.

2. Configure a SAML integration in your SSO IDP (Okta, OneLogin, etc.)
Your IDP Admin will need to configure a SAML2.0 integration in your company IDP which include the following information
- Single sign-on URL - This will be Dynamically generated in the LinearB app.
- Audience URL =
https://app.linearb.io/login
- Set the Name ID format to email.
- Assign at least one user to the SSO application.
- If needed, a LinearB logo can be downloaded here: LinearB Logo
Okta configuration
- Goto your Okta administration page and browse to Applications. Click on Create App Integration.
- In the Create New Application Integration select SAML 2.0
- In the Create SAML Integration wizard under the general tab, Type LinearB in the Application name, add application logo (downloadable file is below) and click on next.
- A LinearB logo can be downloaded here: LinearB Logo
- In the Create SAML Integration wizard under the Configure SAML tab, copy/paste the LinearB URL. This can be found in the LinearB admin page Single Sign-On URL and the Audience URI text boxes.
- Single Sign-On URL: This can be copied from the LinearB settings page
- Audience URL:
https://app.linearb.io/login
- Single Sign-On URL: This can be copied from the LinearB settings page
- In the Name ID format, select Email Address and click next.

- In the Create SAML Integration wizard under the Feedback tab, select the I’m an Okta customer adding an internal app and click Finish
- Go to the Assignment tab in your LinearB application, and click on Assign. Select People or Groups and add the team members which will have access to LinearB

3. Integrate the SSO Application with LinearB
- Go to the Sign-On tab in your LinearB SSO application, and click on the View SAML setup instructions
- Copy the Identity Provider Issuer from Okta and paste into LinearB
- Copy the Identity Provider Single Sign-On URL from Okta and paste into LinearB
- Insert your Organization email domain
- Note that the domain must be correct. Also, generic domains (gmail.com, yahoo.com, hotmail.com) cannot be used as your organization email domain.
- Copy the X-509 Certificate from Okta and paste into LinearB

- Once pasted into LinearB, click the Save button, and set the "SAML Authentication" toggle button to ON.

Users logging in with SSO will be prompted to enter their email when they click on the SSO button on the LinearB login page.

How can I enforce SSO?
By checking the "Team members will only be able to access LinearB using your SSO provider" checkbox, LinearB will require all users logging in to access LinearB using their email address linked to your SSO provider.
If this checkbox is unchecked, users can log in using either SSO or the other auth versions available in LinearB.

How to validate the SAML login is working
There are two steps to verify your SSO has been configured correctly.
- Browse to the user app dashboard in Okta, click on LinearB app. Expected result: Login to LinearB
- Browse to LinearB login page, click on the SSO Icon and type your username. Expected result: Login with Okta
Inviting users to LinearB with SSO enabled
Once SSO is enabled, new team members will need to be added via your IDP's LinearB integration. Users added via your IDP integration will have "Viewer" permissions by default, LinearB admins can update user permissions from the LinearB user settings page here.
Users need to log in to LinearB with the same email/domain as is used in your SSO service. Email addresses are case sensitive.
How to disable SSO
SSO can be disabled by sliding the SAML Authentication button into the off position.
