Skip to main content
All CollectionsAssembla BasicsLearn More
Configure the Security Assertion Markup Language (SAML)
Configure the Security Assertion Markup Language (SAML)
Toshi Dávila avatar
Written by Toshi Dávila
Updated over 2 weeks ago

Note: You must have Owner access to your Portfolio in order to enable SAML authentication for your account. 

We are upgrading our SAML authentication system to improve compatibility with different Identity Providers and improve our security. SAML authentication will have more strict validation rules, most likely you don't have to change anything in your Identity Provider configuration, but please make sure that:

  1. IDp is using SAML version 2.0.

  2. Audience URL in SAML response matches your portfolio home URL (https://[your-account-name].assembla.com/p/home).

  3. SAML Response only contains a single Assertion (encrypted or not).

  4. SessionNotOnOrAfter attribute of the AttributeStatement is valid.

  5. Response contains a valid SubjectConfirmation.

Understanding SAML

There are two sides to a SAML interaction:

  1. Identity Provider (IDp). Examples are Okta.com and OneLogin.com.

  2. Service Provider (SP). Assembla, in this case.

Using identity provider (IDp) configuration

The only piece of information that an IDp usually needs from the SP is the SAML Consumer URL or SAML Assertion Consumer Service URL

For an Assembla portfolio, this is: https://your_portfolio_subdomain_name.assembla.com/p/saml/consume.

Note: Make sure that your identity provider sends email using the NameId attribute.

Using service provider (SP) configuration

There are two pieces of information that Assembla needs to interact with an IDp:

  1. An IDp single sign-on URL, also known as a SAML endpoint URL.

  2. The IDp X.509 certificate or simply the certificate's SHA1 fingerprint.

A portfolio owner can configure it to authenticate team members using the company's SAML server.

To enable SAML authentication

  1. Go to More > Portfolio Admin.

  2. Scroll down to SAML authentication.

  3. Check Enable. The content expands to display more fields.

  4. Type the SAML authentication endpoint in the SAML Assertion Consumer Service URL field.

  5. In the large field, type in the X.509 certificate or its SHA1 fingerprint.
    Note: When using the X.509 certificate, make sure that you include the lines "BEGIN CERTIFICATE" and "END CERTIFICATE" to properly update your settings. 

  6. Click Update SAML settings. Note that team members are able to authenticate using only the specified SAML server.

Understanding authentication workflow changes

When you enable SAML authentication, the Assembla.com authentication workflow changes so that both existing and invited users see a greeting message that invites them to authenticate with the designated SAML server.

There are two different paths to authenticate:

  • Path 1: From www.assembla.com/login, you will still see the normal login page where you enter your Assembla credentials. Once you login, you see a page asking you to log in with SAML.

  • Path 2: From portfolio.assembla.com page, you won't be asked to login with your Assembla credentials. You are asked to log in with SAML.

Accessing repositories

To access the repositories in Assembla spaces, team members must set their Assembla password in the Login & Password Settings section of their profile:


If you have any questions or need assistance. Please always feel free to email us at support@assembla.com. We will be happy to assist.

Did this answer your question?