You must have Owner access to your Portfolio in order to enable SAML authentication for your account.
We are upgrading our SAML authentication system to improve compatibility with different Identity Providers and improve our security. SAML authentication will have more strict validation rules, most likely you don't have to change anything in your Identity Provider configuration, but please make sure that:
- IdP is using SAML version 2.0
- Audience URL in SAML response matches your portfolio home URL (https://[your-account-name].assembla.com/p/home)
- SAML Response only contains a single Assertion (encrypted or not).
- SessionNotOnOrAfter attribute of the AttributeStatement is valid
- Response contains a valid SubjectConfirmation
There are two sides to a SAML interaction:
- Identity Provider (IDp) — examples are Okta.com and OneLogin.com
- Service Provider (SP) — Assembla in this case.
Identity Provider (IDp) configuration
The only piece of information that an IDp usually needs from the SP is the "SAML Consumer URL" or "SAML Assertion Consumer Service URL".
For an Assembla portfolio it is: https://YOUR_PORTFOLIO_SUBDOMAIN_NAME.assembla.com/p/saml/consume.
Note: Make sure that your Identity Provider sends email using the NameId attribute.
Service Provider (SP) configuration
There are two pieces of information that Assembla needs to be able to interact with an IDp:
- IDp Single Sign-On URL, also known as "SAML Endpoint URL"
- the IDp X.509 certificate or just certificate's SHA1 fingerprint
A portfolio owner can configure it to authenticate team members using the company's SAML server. To enable SAML authentication. go to the Portfolio's Admin tab and check Enable under the SAML authentication section at the bottom.
Once that's checked, you need to enter two pieces of information about your IDp:
- the SAML authentication endpoint
- the X.509 certificate or its SHA1 fingerprint
When using the X.509 certificate, make sure that you include the lines "BEGIN CERTIFICATE" and "END CERTIFICATE" to properly update your settings.
Click Update SAML settings and you're all set: team members will only be able to authenticate using the specified SAML server.
Authentication workflow changes
When SAML authentication is enabled, the Assembla.com authentication workflow changes so that both existing and invited users will see a greeting message that will invite them to authenticate with the designated SAML server. There are 2 different paths to authenticate:
From www.assembla.com/login, you will still see the normal login page where you enter your Assembla credentials. Once you login, you will see this page:
From portfolio.assembla.com page, you won't be asked to login with your Assembla credentials. You will see this page:
To access the repositories in Assembla spaces, team members will have to set their Assembla password in the Login & Password Settings section of their profile:
If you have any questions or need assistance. Please always feel free to email us at firstname.lastname@example.org. We will be happy to assist.