How to configure SAML SSO with LinearB

Enterprise customers can enable a SAML SSO integration with LinearB. This integration is designed to work with any SAML 2.0 service provider, including Okta, OneLogin, Azure, and GSuite.

Though the instructions in this article will work for any IDP, we do offer the following vendor-specific articles:

• Azure AD SSO Configuration
• GSuite SSO Configuration
• Okta SSO Configuration

How to enable SSO

Glossary:

• IDP stands for an Identity Provider - examples of IDPs are Okta, OneLogin, etc.
• SP stands for Service Provider - LinearB is the service provider in this situation.

1. Enable SSO in LinearB

To begin the SSO connection between your IDP and LinearB, go to Company Settings, and select the Single Sign On tab. Click on the Set up SSO button.

2. Configure a SAML integration in your IDP (Okta, OneLogin, etc.)

Your IDP Admin will need to configure a SAML 2.0 integration in your company IDP. They will need the following information from LinearB:

• Callback URL/ACS URL - This will be dynamically generated in the LinearB app.
• Audience URL/Entity ID = https://app.linearb.io/login
• Set the Name ID format in the IDP to email
• No attributes are required outside of the Name ID
• Assign at least one user to the SSO application.
• If needed, a LinearB logo can be downloaded here: LinearB Logo

3. Integrate the SSO Application with LinearB

From your IDP, you will need to enter the following information in LinearB:

1. Provider Single Sign-on URL - Sometimes labeled as the SSO URL in the IDP
2. Provider Issuer - The Issuer URL or Entity ID for the IDP
3. Organization email domain - The domain your users use for their email addresses. For example, example.com
4. Certificate - Your IDP will give you either the option to copy your x509 certificate or to download and extract the certificate from your IDP metadata. Copy the full x509 certificate and paste it in to LinearB.

Testing SSO

1. Once the information is pasted in to LinearB, click the Save button
2. This will trigger a flow to test SSO login—if the flow does not work, we will not enable SSO.
3. Once you've successfully logged in, confirm that the "SAML Authentication" toggle button is set to to ON

   

4. If you wish to enforce SSO login, click "Edit" and check the "Team members will only be able to access LinearB using your SSO provider" checkbox. Then, click "Save".

Users logging in with SSO will be prompted to enter their email when they click on the SSO button on the LinearB login page.

How can I enforce SSO?

By checking the "Team members will only be able to access LinearB using your SSO provider" checkbox, LinearB will require all users logging in to access LinearB using their email address linked to your SSO provider.

If this checkbox is unchecked, users can log in using either SSO or the other auth versions available in LinearB.

Inviting users to LinearB with SSO enabled

Once SSO is enabled, new team members will need to be added via your IDP's LinearB integration. We support JIT provisioning—once the user is provisioned in your IDP, they can log in to LinearB and we'll create an account for them. Users added via your IDP integration will have "Viewer" permissions by default. LinearB admins can update user permissions from the LinearB user settings page here.

Users need to log in to LinearB with the same email/domain as is used in your SSO service. Email addresses are case sensitive.

How to disable SSO

SSO can be disabled by sliding the SAML Authentication button into the off position.