All Collections
Getting Started
Enterprise Plan Set-up
Technical details for getting started with Single Sign-On (SSO)
Technical details for getting started with Single Sign-On (SSO)

This guide helps you set up SAML, the SSO standard used by Lookback

Johan Brook avatar
Written by Johan Brook
Updated over a week ago

SSO (Single Sign-On) is technology that allows you to use your own authentication servers to authenticate user accounts on lookback.io. This way, you can centrally manage people enrolling or getting off-boarded in your own LDAP or similar.


Available on the following plans

  • Enterprise



Configuring SSO

Please note: SAML is currently the only SSO standard supported on Lookback.io. Specifically, SAML 2.0 with a Service Provider initiated Redirect-POST flow

  • To enable SAML (once you have upgraded to Enterprise), navigate to top-right menu > Organization Settings, and follow the instructions in the section "Single Sign-On". Please note: only the Owner of your Lookback organization can enable SAML/SSO.

  • To configure SAML to work with Lookback on your end, see our field definitions and public key below.

You can contact us at help@lookback.io if you have additional questions, but please note that we can only help with Lookback specific SAML questions; we cannot answer technical questions regarding the SAML specification itself.

✅ Required Settings

In the Lookback organization settings, there are four required fields that you need to interact with:

  • Assertion Consumer Service (ACS) URL (aka SAML Validation URL): Lookback has an ACS URL (listed in the field on the SSO setting page). Configure your Identity Provider with this value so it knows where to send the SAML Assertion (which is part of the SAML Response). Your Identity Provider (IdP) should send the SAML response to this URL.

  • Identity Provider SSO URL (aka SAML SSO URL): The SAML 2.0 endpoint from you IdP that our servers should redirect to to authenticate the request. The URL may include the name of your organization, your Identity Provider, and/or the word "lookback"

    For example, it may look something like one of the following:

  • Identity Provider Issuer: An identifier/name for your Identity Provider (IdP), usually a url like https://yourdomain.com or https://yourcompanyname.okta.com

  • Public Certificate: Your IdP's public certificate.

Optional Settings

If you have more advanced requirements, we offer a few optional settings too.

  • Sign AuthnRequest: If you require us to sign the SAML request we will do that using the public key below. You can specify the algorithm you'd like us to sign it with. We support rsa-sha1, rsa-sha256, and rsa-sha512.

  • Encrypted Assertion: Should you wish to encrypt the assertion you may also use the certificate below.

  • Your IdP may sign the SAML response or the Assertion using rsa-sha1, rsa-sha256, or rsa-sha512. (You don't have to specify this in the Lookback settings.)

  • If your IdP requires an Audience URI/Entity ID that value will be https://lookback.io

Metadata

You can find a link to view the SAML Metadata in your team's SSO settings. 

This is an example metadata document 

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://lookback.io" ID="https___lookback_io">

<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<KeyDescriptor>

<ds:KeyInfo>

<ds:X509Data>

<ds:X509Certificate>

MIIE/jCCAuYCCQCdY5FxRBrTGzANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJVUzEcMBoGA1UECgwTTG9va2JhY2sgR3JvdXAsIEluYzEUMBIGA1UEAwwLbG9va2JhY2suaW8wHhcNMTgwNTMxMDkyOTE5WhcNMjMwNTMwMDkyOTE5WjBBMQswCQYDVQQGEwJVUzEcMBoGA1UECgwTTG9va2JhY2sgR3JvdXAsIEluYzEUMBIGA1UEAwwLbG9va2JhY2suaW8wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCZQZiYz4YLbUHCCsPxGD4PeqxUuGGPFqWGknOoc2UiAHFbqk3+PHzrIuyAZc+JyjYOY0ejBMwnibxQuLFBmD+BqQ1XFxAAnSlHDfONOBK3QjP2gCEa62YybKMsEU6155FwRZlu+0nV4qk6fcuQjOnBoXN/UlGzPGTrTTycu/wrO4c67pUrU7sap5Nzn4Ot3P0I0WR/6JIBebJJ4qEKEAqsYuGtf68WU9zH+iDDGjbTygueZRr95PvVdBd9pJGvavaZzaE6h+PPiBDU8r8YnMA1JZ7RYcUGu1IzQlyLiGzMrziymHBKE9PnoXaKBgC+6uJ3iy45dbsU1HUMV8LE75FcX6TBL7gSOxpwHGqH9m1zWM8tp772WyUr+X2lavPLzCvEWJF83hzcweH3kw3FV1j5F8J+ud4VIsuANB0t9BQTGKWms7EAc+Q4QLv6oX/KKXB7R+0/jCOViks9dE/IUmJ+ho6bn+vxTyDHsXEx9seMm3FImlqiT/XH3KLQUF716T8sS2mOiGtP0OaNZbOnmDuYjaVFIaVIK9kyS/e4Pcct6H+XkWFQS4eDE2weThpRkw4dI6VCEQGmf1bHaEPWLw3r0ZkRHOQ5ImxUH52e+GrsCJYZZDACL2zx2JXI0t6t2ViYtB9avt0XL+5O1tzw/BQ2+wgFcfe7yWXV+4siEqtUiwIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQAZ6uO6Ol8EogMWbGjc6F22uWySc73tjyuYfSr5TkCFGW+fIesx9WijHmkZZiDN5M8INru3t2xyhlbdOj80etlhbxhjQw8aKHmQVcjp/Jo6HNdqhUIoWcSx+hiaxdQZqPd4izcG7BHPvtAo6PJF7ppwK5yWiRiSFddMeAK0tNyFFmHeP9qK5e3SCCDqsitPOAOG9fIiCwA4dVkbdWSdUUXF2kx0i5woiLEPpxAfiK3PSTWvpK3NA5gCPnaas24ogEmuFzsFg3xRWgHdYiKYlX+ZdtMM2Q1OBegWLMxyjAIeVeaCQrinMENrkzN9qCYevRUlOQQ/yVaWen/ZW2v/x0GgS8dzfkQ28tkE3b32Dqza8obrpLe+MPr1UebjvTQ4OLjZlypxVx2hhd7CNT0z+KPxRX0BUHrqIIE2VOdYlm2iLeF5zVcFW3XMKFYhEC0OqDQZ6uWmT3FkP/i8mCT239v27XCkzxvSgNCcEJvi/rjaCYiTY93f8jHeqh8KABk9gWjoKl7TeZnu0urTDDMyrl+I30l4vW/0ZtP+AWUwm38KaKWkxTJLfDWmdBQfI211yaybpjo45lLFRBYE7M4ZeqnYEQztmoeI/Kh3xkFgHrrRspfaoREvdnKaoOvuY9RVGRMbWlD6Aznfr5D2lG9ZfYWjeHdwpNtQ/7221UZhueWfUg==

</ds:X509Certificate>

</ds:X509Data>

</ds:KeyInfo>

<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>

<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>

<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>

</KeyDescriptor>

<NameIDFormat>

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

</NameIDFormat>

<AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://lookback.io/_saml/validate/<UID>"/>

</SPSSODescriptor>

</EntityDescriptor>

Field Definitions

NameID (required)

<saml:Subject>
  <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">Your Unique Identifier</saml:NameID>
</saml:Subject>

email (required)

<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">testuser@youremail.com</saml:AttributeValue>
</saml:Attribute>

fullname (optional)

<saml:Attribute Name="fullname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">Full name</saml:AttributeValue>
</saml:Attribute>

Our Public Key 

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmUGYmM+GC21BwgrD8Rg+
D3qsVLhhjxalhpJzqHNlIgBxW6pN/jx86yLsgGXPico2DmNHowTMJ4m8ULixQZg/
gakNVxcQAJ0pRw3zjTgSt0Iz9oAhGutmMmyjLBFOteeRcEWZbvtJ1eKpOn3LkIzp
waFzf1JRszxk6008nLv8KzuHOu6VK1O7GqeTc5+Drdz9CNFkf+iSAXmySeKhChAK
rGLhrX+vFlPcx/ogwxo208oLnmUa/eT71XQXfaSRr2r2mc2hOofjz4gQ1PK/GJzA
NSWe0WHFBrtSM0Jci4hszK84sphwShPT56F2igYAvurid4suOXW7FNR1DFfCxO+R
XF+kwS+4EjsacBxqh/Ztc1jPLae+9lslK/l9pWrzy8wrxFiRfN4c3MHh95MNxVdY
+RfCfrneFSLLgDQdLfQUExilprOxAHPkOEC7+qF/yilwe0ftP4wjlYpLPXRPyFJi
foaOm5/r8U8gx7FxMfbHjJtxSJpaok/1x9yi0FBe9ek/LEtpjohrT9DmjWWzp5g7
mI2lRSGlSCvZMkv3uD3HLeh/l5FhUEuHgxNsHk4aUZMOHSOlQhEBpn9Wx2hD1i8N
69GZERzkOSJsVB+dnvhq7AiWGWQwAi9s8diVyNLerdlYmLQfWr7dFy/uTtbc8PwU
NvsIBXH3u8ll1fuLIhKrVIsCAwEAAQ==
-----END PUBLIC KEY-----

…or if you require it DER encoded as a binary:


Limitations for user accounts once SAML is enabled

  • Any user that logs in to your organization using SAML will be prompted to leave any other organization they are part of, and they will not be able to join any other organization in the future. From then on they will only be able to login using SAML (i.e. the password will stop working if they had an existing user account).

  • Users who are not registered with your Identity Provider will not be able to access your Lookback organization (i.e. if you have a Lookback account with a password login you cannot access an organization with SAML enabled without converting your account to use SAML only).

  • Once SSO/SAML is enabled for your Lookback organization, it cannot be disabled later due to the way user accounts are stored in the system. In other words, it is a one-way street.

If you have outside stakeholders that you wish to invite to your organization, make sure:

  • it's safe to add them to your Identity Provider

  • that these users' email addresses are not tied to existing Lookback user accounts with access other Lookback organizations.


Logging In using SSO

Lookback currently supports SAML 2.0 with a Service Provider initiated Redirect-POST flow. This means that once you have enabled/configured SAML for your Lookback organization, you log in to your Lookback account one of 2 ways (Note: You cannot start the log in process via your Identity Provider service (IdP)):

  1. By using your organization's specific URL, with this format: https://lookback.io/org/[org-name]/projects. This org-name or "Organization Identifier" is seen in the URL when you're on the main dashboard of Lookback:

  2. By going to the Lookback homepage (www.lookback.com) > clicking "Sign In" at the top right, then clicking on "Use Single Sign-On" and then entering your "Organization Identifier" (the [org-name] from the URL)


Troubleshooting

When I try logging into my Lookback account using SSO, I see an error message, "The email address XXX.XXX@XXX.XXX is already tied to an account associated with at least one other organization. You have to leave that / those organizations, or change the email address of that account."

To proceed with using SSO, the affected user will need to leave the other organisation(s) first. How they proceed will depend on the scenario:

  1. You are a collaborator or observer in another Lookback organisation

    1. Log in to Lookback using your current username and password (not SSO).

    2. Switch to the organisation you want to leave by clicking on the menu at the top right > Switch organisation

    3. Go back to the menu at the top right and click on Members

    4. Click Leave Organization under their name and then confirm

    5. Repeat steps 1b - 1c to leave any other organisations

    6. Log out of Lookback

    7. You should now be able to log in to your company's Lookback organisation using SSO

  2. You are the owner of another organisation (trial, etc), and someone else will be using that subscription

    1. Log in to Lookback using your current username and password (not SSO)

    2. Switch to the organisation that you are the owner of by clicking on the menu at the top right > Switch organisation

    3. Follow the steps here to transfer ownership to someone else in the organisation

    4. Go back to the menu at the top right and click on Members

    5. Click Leave Organization under their name and then confirm

    6. Log out of Lookback

    7. You should now be able to log in to your company's Lookback organisation using SSO

  3. You are the the owner of another organisation (trial, etc), but no one else will continue using it

    1. Log in to Lookback using your current username and password (not SSO)

    2. Switch to the organisation that you are the owner of by clicking on the menu at the top right > Switch organisation

    3. Log out of Lookback

    4. You should now be able to log in to your company's Lookback organisation using SSO

If you still have issues, please reach out to support either by using the chat tool in the lower right corner while logged in OR send an email from your registered address to support@lookback.io and we'll be happy to help!

Did this answer your question?