SSO using SAML

Overview

Single sign-on (SSO) allows your team members to sign in to Arcade using your own identity provider, e.g. with , , , or .

Arcade currently supports SP-initiated SSO using SAML 2.0.

Configuring SAML for your Arcade team

There are two parts to configuring SAML to work with Arcade:

1. Define a new SSO app in your IdP. These are the two main things you'll need when registering Arcade as an SSO app:

   1. Entity ID: urn:app.arcade.software

   2. ACS URL (sometimes referred to as the callback URL): https://app.arcade.software/__/auth/handler

2. Arcade registers your new SSO app as a SAML provider. We'll need the following information -- all of these are included in the SAML metadata XML document or URL:

   1. Entity ID (also known as issuer)

   2. SSO login URL

   3. X509 Certificate

Once you've registered the new Arcade SSO app in your IdP, contact us at with your SAML metadata URL (or attach the SAML metadata XML file or provide us the information above).

Finally, on your identity provider side, you need to allow the following callback URL:

https://app.arcade.software/__/auth/handler

We'll give you a unique Arcade SSO URL that you can use to sign in, or you can simply use the "Continue with SSO" option on the Arcade sign in page and enter an email associated with your domain.

Configuring SAML on Auth0

⚠️ Note about the SAML 2.0 add-on

If you configure Arcade SSO using that add-on, make sure that the SAML NameID is set to the user email address, by configuring nameIdentifierProbes like this in the add-on settngs:

{
  "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ]
}

Configuring SAML on Okta