SSO (Single Sign-On) is technology that allows you to use your own authentication servers to authenticate user accounts on lookback.io. This way, you can centrally manage people enrolling or getting off-boarded in your own LDAP or similar.

Available on the following plans

Enterprise

1. Configuring SSO

Please note: SAML is currently the only SSO standard supported on Lookback.io. Specifically, SAML 2.0 with a Service Provider initiated Redirect-POST flow

To enable SAML (once you have upgraded to Enterprise), navigate to top-right menu > Organization Settings, and follow the instructions in the section "Single Sign-On". Please note: only the Owner of your Lookback organization can enable SAML/SSO.

To configure SAML to work with Lookback on your end, see our field definitions and public key below.

You can contact us at help@lookback.io if you have additional questions, but please note that we can only help with Lookback specific SAML questions; we cannot answer technical questions regarding the SAML specification itself.

✅ Required Settings

In the Lookback organization settings, there are four required fields that you need to interact with:

Assertion Consumer Service (ACS) URL (aka SAML Validation URL): Lookback has an ACS URL (listed in the field on the SSO setting page). Configure your Identity Provider with this value so it knows where to send the SAML Assertion (which is part of the SAML Response). Your Identity Provider (IdP) should send the SAML response to this URL.
Identity Provider SSO URL (aka SAML SSO URL): The SAML 2.0 endpoint from you IdP that our servers should redirect to to authenticate the request. The URL may include the name of your organization, your Identity Provider, and/or the word "lookback"

For example, it may look something like one of the following:
- https://yourcompany.com/saml/lookback
  
  OR
- https://yourcompany.okta.com/validate/abc123
Identity Provider Issuer: An identifier/name for your Identity Provider (IdP), usually a url like https://yourdomain.com or https://yourcompanyname.okta.com
Public Certificate: Your IdP's public certificate.

Optional Settings

If you have more advanced requirements, we offer a few optional settings too.

Sign AuthnRequest: If you require us to sign the SAML request we will do that using the public key below. You can specify the algorithm you'd like us to sign it with. We support rsa-sha1, rsa-sha256, and rsa-sha512.
Encrypted Assertion: Should you wish to encrypt the assertion you may also use the certificate below.
Your IdP may sign the SAML response or the Assertion using rsa-sha1, rsa-sha256, or rsa-sha512. (You don't have to specify this in the Lookback settings.)
If your IdP requires an Audience URI/Entity ID that value will be https://lookback.io

Metadata

You can find a link to view the SAML Metadata in your team's SSO settings.

This is an example metadata document

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://lookback.io" ID="https___lookback_io">

<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<KeyDescriptor>

<ds:KeyInfo>

<ds:X509Data>

<ds:X509Certificate>

MIIE/jCCAuYCCQCdY5FxRBrTGzANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJVUzEcMBoGA1UECgwTTG9va2JhY2sgR3JvdXAsIEluYzEUMBIGA1UEAwwLbG9va2JhY2suaW8wHhcNMTgwNTMxMDkyOTE5WhcNMjMwNTMwMDkyOTE5WjBBMQswCQYDVQQGEwJVUzEcMBoGA1UECgwTTG9va2JhY2sgR3JvdXAsIEluYzEUMBIGA1UEAwwLbG9va2JhY2suaW8wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCZQZiYz4YLbUHCCsPxGD4PeqxUuGGPFqWGknOoc2UiAHFbqk3+PHzrIuyAZc+JyjYOY0ejBMwnibxQuLFBmD+BqQ1XFxAAnSlHDfONOBK3QjP2gCEa62YybKMsEU6155FwRZlu+0nV4qk6fcuQjOnBoXN/UlGzPGTrTTycu/wrO4c67pUrU7sap5Nzn4Ot3P0I0WR/6JIBebJJ4qEKEAqsYuGtf68WU9zH+iDDGjbTygueZRr95PvVdBd9pJGvavaZzaE6h+PPiBDU8r8YnMA1JZ7RYcUGu1IzQlyLiGzMrziymHBKE9PnoXaKBgC+6uJ3iy45dbsU1HUMV8LE75FcX6TBL7gSOxpwHGqH9m1zWM8tp772WyUr+X2lavPLzCvEWJF83hzcweH3kw3FV1j5F8J+ud4VIsuANB0t9BQTGKWms7EAc+Q4QLv6oX/KKXB7R+0/jCOViks9dE/IUmJ+ho6bn+vxTyDHsXEx9seMm3FImlqiT/XH3KLQUF716T8sS2mOiGtP0OaNZbOnmDuYjaVFIaVIK9kyS/e4Pcct6H+XkWFQS4eDE2weThpRkw4dI6VCEQGmf1bHaEPWLw3r0ZkRHOQ5ImxUH52e+GrsCJYZZDACL2zx2JXI0t6t2ViYtB9avt0XL+5O1tzw/BQ2+wgFcfe7yWXV+4siEqtUiwIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQAZ6uO6Ol8EogMWbGjc6F22uWySc73tjyuYfSr5TkCFGW+fIesx9WijHmkZZiDN5M8INru3t2xyhlbdOj80etlhbxhjQw8aKHmQVcjp/Jo6HNdqhUIoWcSx+hiaxdQZqPd4izcG7BHPvtAo6PJF7ppwK5yWiRiSFddMeAK0tNyFFmHeP9qK5e3SCCDqsitPOAOG9fIiCwA4dVkbdWSdUUXF2kx0i5woiLEPpxAfiK3PSTWvpK3NA5gCPnaas24ogEmuFzsFg3xRWgHdYiKYlX+ZdtMM2Q1OBegWLMxyjAIeVeaCQrinMENrkzN9qCYevRUlOQQ/yVaWen/ZW2v/x0GgS8dzfkQ28tkE3b32Dqza8obrpLe+MPr1UebjvTQ4OLjZlypxVx2hhd7CNT0z+KPxRX0BUHrqIIE2VOdYlm2iLeF5zVcFW3XMKFYhEC0OqDQZ6uWmT3FkP/i8mCT239v27XCkzxvSgNCcEJvi/rjaCYiTY93f8jHeqh8KABk9gWjoKl7TeZnu0urTDDMyrl+I30l4vW/0ZtP+AWUwm38KaKWkxTJLfDWmdBQfI211yaybpjo45lLFRBYE7M4ZeqnYEQztmoeI/Kh3xkFgHrrRspfaoREvdnKaoOvuY9RVGRMbWlD6Aznfr5D2lG9ZfYWjeHdwpNtQ/7221UZhueWfUg==

</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>

<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>

<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>

</KeyDescriptor>

<NameIDFormat>

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

</NameIDFormat>

<AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://lookback.io/_saml/validate/<UID>"/>

</SPSSODescriptor>

</EntityDescriptor>

Field Definitions

NameID (required)

<saml:Subject>
  <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">Your Unique Identifier</saml:NameID>
</saml:Subject>

email (required)

<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">testuser@youremail.com</saml:AttributeValue>
</saml:Attribute>

fullname (optional)

<saml:Attribute Name="fullname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">Full name</saml:AttributeValue>
</saml:Attribute>

Our Public Key

…or if you require it DER encoded as a binary:

Download DER encoded public key

2. Limitations for user accounts once SAML is enabled

Any user that logs in to your organization using SAML will be prompted to leave any other organization they are part of, and they will not be able to join any other organization in the future. From then on they will only be able to login using SAML (i.e. the password will stop working if they had an existing user account).
Users who are not registered with your Identity Provider will not be able to access your Lookback organization (i.e. if you have a Lookback account with a password login you cannot access an organization with SAML enabled without converting your account to use SAML only).
Once SSO/SAML is enabled for your Lookback organization, it cannot be disabled later due to the way user accounts are stored in the system. In other words, it is a one-way street.

If you have outside stakeholders that you wish to invite to your organization, make sure:

it's safe to add them to your Identity Provider
that these users' email addresses are not tied to existing Lookback user accounts with access other Lookback organizations.

3. Logging In using SSO

Lookback currently supports SAML 2.0 with a Service Provider initiated Redirect-POST flow. This means that once you have enabled/configured SAML for your Lookback organization, you log in to your Lookback account one of 2 ways (Note: You cannot start the log in process via your Identity Provider service (IdP)):

By using your organization's specific URL, with this format: https://lookback.io/org/[org-name]/projects. This org-name or "Organization Identifier" is seen in the URL when you're on the main dashboard of Lookback:
By going to the Lookback homepage (www.lookback.com) > clicking "Sign In" at the top right, then clicking on "Use Single Sign-On" and then entering your "Organization Identifier" (the [org-name] from the URL)