SSO (Single Sign-On) is technology that allows you to use your own authentication servers to authenticate user accounts on lookback.io. This way, you can centrally manage people enrolling or getting off-boarded in your own LDAP or similar.

  • SAML (the only SSO standard supported on Lookback.io) is only available for customers subscribing to our Enterprise plan.

  • To enable SAML (once you have upgraded to Enterprise), navigate to top-right menu > Organization Settings, and follow the instructions in the section "Single Sign-On".

  • Lookback currently supports SAML 2.0 with a Service Provider initiated Redirect-POST flow. This means that once you have enabled/configured SAML for your Lookback organization, you log in to your Lookback account via your organization's specific URL, with this format: https://lookback.io/org/[org-name]/projects. You cannot start the log in process via your Identity Provider service (IdP).

  • To configure SAML to work with Lookback on your end, see our field definitions and public key below.

You can contact us at help@lookback.io if you have additional questions, but please note that we can only help with Lookback specific SAML questions; we cannot answer technical questions regarding the SAML specification itself.


Limitations for user accounts once SAML is enabled

  • Any user that logs in to your organization using SAML will be prompted to leave any other organization they are part of, and they will not be able to join any other organization in the future. From then on they will only be able to login using SAML (i.e. the password will stop working if they had an existing user account).

  • Users who are not registered with your Identity Provider will not be able to access your Lookback organization (i.e. if you have a Lookback account with a password login you cannot access an organization with SAML enabled without converting your account to use SAML only).

If you have outside stakeholders that you wish to invite to your organization, make sure:

  • it's safe to add them to your Identity Provider

  • that these users' email addresses are not tied to existing Lookback user accounts with access other Lookback organizations.

Settings

Required

In the Lookback organization settings, there are four required fields that you need to interact with:

  • SAML Validation URL: Your Identity Provider (IdP) should send the SAML response to this URL.

  • SAML SSO URL: The SAML 2.0 endpoint that our servers should redirect to to authenticate the request.

  • Identity Provider Issuer: An identifier/name for your Identity Provider (IdP), usually a url like https://yourdomain.com. 

  • Public Certificate: Your IdP's public certificate.

Optional

If you have more advanced requirements, we offer a few optional settings too.

  • Sign AuthnRequest: If you require us to sign the SAML request we will do that using the public key below. You can specify the algorithm you'd like us to sign it with. We support rsa-sha1, rsa-sha256, and rsa-sha512.

  • Encrypted Assertion: Should you wish to encrypt the assertion you may also use the certificate below.

  • Your IdP may sign the SAML response or the Assertion using rsa-sha1, rsa-sha256, or rsa-sha512. (You don't have to specify this in the Lookback settings.)

Metadata

You can find a link to view the SAML Metadata in your team's SSO settings. 

This is an example metadata document 

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://lookback.io" ID="https___lookback_io">

<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<KeyDescriptor>

<ds:KeyInfo>

<ds:X509Data>

<ds:X509Certificate>

MIIE/jCCAuYCCQCdY5FxRBrTGzANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJVUzEcMBoGA1UECgwTTG9va2JhY2sgR3JvdXAsIEluYzEUMBIGA1UEAwwLbG9va2JhY2suaW8wHhcNMTgwNTMxMDkyOTE5WhcNMjMwNTMwMDkyOTE5WjBBMQswCQYDVQQGEwJVUzEcMBoGA1UECgwTTG9va2JhY2sgR3JvdXAsIEluYzEUMBIGA1UEAwwLbG9va2JhY2suaW8wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCZQZiYz4YLbUHCCsPxGD4PeqxUuGGPFqWGknOoc2UiAHFbqk3+PHzrIuyAZc+JyjYOY0ejBMwnibxQuLFBmD+BqQ1XFxAAnSlHDfONOBK3QjP2gCEa62YybKMsEU6155FwRZlu+0nV4qk6fcuQjOnBoXN/UlGzPGTrTTycu/wrO4c67pUrU7sap5Nzn4Ot3P0I0WR/6JIBebJJ4qEKEAqsYuGtf68WU9zH+iDDGjbTygueZRr95PvVdBd9pJGvavaZzaE6h+PPiBDU8r8YnMA1JZ7RYcUGu1IzQlyLiGzMrziymHBKE9PnoXaKBgC+6uJ3iy45dbsU1HUMV8LE75FcX6TBL7gSOxpwHGqH9m1zWM8tp772WyUr+X2lavPLzCvEWJF83hzcweH3kw3FV1j5F8J+ud4VIsuANB0t9BQTGKWms7EAc+Q4QLv6oX/KKXB7R+0/jCOViks9dE/IUmJ+ho6bn+vxTyDHsXEx9seMm3FImlqiT/XH3KLQUF716T8sS2mOiGtP0OaNZbOnmDuYjaVFIaVIK9kyS/e4Pcct6H+XkWFQS4eDE2weThpRkw4dI6VCEQGmf1bHaEPWLw3r0ZkRHOQ5ImxUH52e+GrsCJYZZDACL2zx2JXI0t6t2ViYtB9avt0XL+5O1tzw/BQ2+wgFcfe7yWXV+4siEqtUiwIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQAZ6uO6Ol8EogMWbGjc6F22uWySc73tjyuYfSr5TkCFGW+fIesx9WijHmkZZiDN5M8INru3t2xyhlbdOj80etlhbxhjQw8aKHmQVcjp/Jo6HNdqhUIoWcSx+hiaxdQZqPd4izcG7BHPvtAo6PJF7ppwK5yWiRiSFddMeAK0tNyFFmHeP9qK5e3SCCDqsitPOAOG9fIiCwA4dVkbdWSdUUXF2kx0i5woiLEPpxAfiK3PSTWvpK3NA5gCPnaas24ogEmuFzsFg3xRWgHdYiKYlX+ZdtMM2Q1OBegWLMxyjAIeVeaCQrinMENrkzN9qCYevRUlOQQ/yVaWen/ZW2v/x0GgS8dzfkQ28tkE3b32Dqza8obrpLe+MPr1UebjvTQ4OLjZlypxVx2hhd7CNT0z+KPxRX0BUHrqIIE2VOdYlm2iLeF5zVcFW3XMKFYhEC0OqDQZ6uWmT3FkP/i8mCT239v27XCkzxvSgNCcEJvi/rjaCYiTY93f8jHeqh8KABk9gWjoKl7TeZnu0urTDDMyrl+I30l4vW/0ZtP+AWUwm38KaKWkxTJLfDWmdBQfI211yaybpjo45lLFRBYE7M4ZeqnYEQztmoeI/Kh3xkFgHrrRspfaoREvdnKaoOvuY9RVGRMbWlD6Aznfr5D2lG9ZfYWjeHdwpNtQ/7221UZhueWfUg==

</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>

<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>

<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>

</KeyDescriptor>

<NameIDFormat>

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

</NameIDFormat>

<AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://lookback.io/_saml/validate/<UID>"/>

</SPSSODescriptor>

</EntityDescriptor>

Field Definitions

NameID (required)

<saml:Subject>
  <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">Your Unique Identifier</saml:NameID>
</saml:Subject>

email (required)

<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">testuser@youremail.com</saml:AttributeValue>
</saml:Attribute>

fullname (optional)

<saml:Attribute Name="fullname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">Full name</saml:AttributeValue>
</saml:Attribute>

Our Public Key 

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmUGYmM+GC21BwgrD8Rg+
D3qsVLhhjxalhpJzqHNlIgBxW6pN/jx86yLsgGXPico2DmNHowTMJ4m8ULixQZg/
gakNVxcQAJ0pRw3zjTgSt0Iz9oAhGutmMmyjLBFOteeRcEWZbvtJ1eKpOn3LkIzp
waFzf1JRszxk6008nLv8KzuHOu6VK1O7GqeTc5+Drdz9CNFkf+iSAXmySeKhChAK
rGLhrX+vFlPcx/ogwxo208oLnmUa/eT71XQXfaSRr2r2mc2hOofjz4gQ1PK/GJzA
NSWe0WHFBrtSM0Jci4hszK84sphwShPT56F2igYAvurid4suOXW7FNR1DFfCxO+R
XF+kwS+4EjsacBxqh/Ztc1jPLae+9lslK/l9pWrzy8wrxFiRfN4c3MHh95MNxVdY
+RfCfrneFSLLgDQdLfQUExilprOxAHPkOEC7+qF/yilwe0ftP4wjlYpLPXRPyFJi
foaOm5/r8U8gx7FxMfbHjJtxSJpaok/1x9yi0FBe9ek/LEtpjohrT9DmjWWzp5g7
mI2lRSGlSCvZMkv3uD3HLeh/l5FhUEuHgxNsHk4aUZMOHSOlQhEBpn9Wx2hD1i8N
69GZERzkOSJsVB+dnvhq7AiWGWQwAi9s8diVyNLerdlYmLQfWr7dFy/uTtbc8PwU
NvsIBXH3u8ll1fuLIhKrVIsCAwEAAQ==
-----END PUBLIC KEY-----

…or if you require it DER encoded as a binary:

Did this answer your question?