SSO (Single Sign-On) allows you to use your own authentication servers to authenticate accounts on the lookback.io service. This way, you can centrally manage people enrolling or getting off-boarded in your own LDAP or similar.

SSO is only available on our Enterprise plan. Once you have upgraded, navigate to top-right menu > Organization Settings, and follow the instructions in the section "Single Sign-On".

Lookback currently supports SAML as authentication service. To configure SAML to work with Lookback on your end, see our field definitions and public key below.

Please contact us at help@lookback.io if you've got further questions, but please note that we can only help with Lookback specific SAML question; we cannot reply to technical questions regarding the SAML specification itself.

Settings

Required

In the Lookback organization settings, there are four required fields that you need to interact with:

  • SAML Validation URL: Your Identity Provider (IdP) should send the SAML response to this URL.
  • SAML SSO URL: The SAML 2.0 endpoint that our servers should redirect to to authenticate the request.
  • Identity Provider Issuer: An identifier/name for your Identity Provider (IdP), usually a url like https://yourdomain.com. 
  • Public Certificate: Your IdP's public certificate.

Optional

If you have more advanced requirements, we offer a few optional settings too.

  • Sign AuthnRequest: If you require us to sign the SAML request we will do that using the certificate below. You can specify the algorithm you'd like us to sign it with. We support rsa-sha1, rsa-sha256, and rsa-sha512.
  • Encrypted Assertion: Should you wish to encrypt the assertion you may also use the certificate below.
  • Your IdP may sign the SAML response or the Assertion using rsa-sha1, rsa-sha256, or rsa-sha512. (You don't have to specify this in the Lookback settings.)

Metadata

You can find a link to view the SAML Metadata in your team's SSO settings. 

Field Definitions

NameID (required)

<saml:Subject>
  <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">Your Unique Identifier</saml:NameID>
</saml:Subject>

email (required)

<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">testuser@youremail.com</saml:AttributeValue>
</saml:Attribute>

fullname (optional)

<saml:Attribute Name="fullname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">Full name</saml:AttributeValue>
</saml:Attribute>

Our Public Key 

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmUGYmM+GC21BwgrD8Rg+
D3qsVLhhjxalhpJzqHNlIgBxW6pN/jx86yLsgGXPico2DmNHowTMJ4m8ULixQZg/
gakNVxcQAJ0pRw3zjTgSt0Iz9oAhGutmMmyjLBFOteeRcEWZbvtJ1eKpOn3LkIzp
waFzf1JRszxk6008nLv8KzuHOu6VK1O7GqeTc5+Drdz9CNFkf+iSAXmySeKhChAK
rGLhrX+vFlPcx/ogwxo208oLnmUa/eT71XQXfaSRr2r2mc2hOofjz4gQ1PK/GJzA
NSWe0WHFBrtSM0Jci4hszK84sphwShPT56F2igYAvurid4suOXW7FNR1DFfCxO+R
XF+kwS+4EjsacBxqh/Ztc1jPLae+9lslK/l9pWrzy8wrxFiRfN4c3MHh95MNxVdY
+RfCfrneFSLLgDQdLfQUExilprOxAHPkOEC7+qF/yilwe0ftP4wjlYpLPXRPyFJi
foaOm5/r8U8gx7FxMfbHjJtxSJpaok/1x9yi0FBe9ek/LEtpjohrT9DmjWWzp5g7
mI2lRSGlSCvZMkv3uD3HLeh/l5FhUEuHgxNsHk4aUZMOHSOlQhEBpn9Wx2hD1i8N
69GZERzkOSJsVB+dnvhq7AiWGWQwAi9s8diVyNLerdlYmLQfWr7dFy/uTtbc8PwU
NvsIBXH3u8ll1fuLIhKrVIsCAwEAAQ==
-----END PUBLIC KEY-----

…or if you require it DER encoded as a binary:

Did this answer your question?