Please check our corporate site if this feature is available in your subscription plan.
Beekeeper offers SAML-based single-sign on (SSO) which allows users to authenticate through your identity provider (IdP).
You can customise your SSO settings in the admin dashboard by navigating to Settings > General and then scrolling down to section Single Sign-On. There, you can determine which login methods are available for your users, change the text shown on your SSO login button, configure your IdP’s SAML metadata, and choose whether you would like to provision user accounts for new users.
Under ‘Enable Single Sign-On’, you can choose from the following authentication methods for your Beekeeper app:
- Disabled: this disables SSO, and allows only password-based login (using username, email or mobile number, and a Beekeeper password)
- SAML Single Sign-On: this allows only SSO-based login
- SAML Single Sign-On and Password based login: this allows a combination of SSO and password-based login (a useful option if not every user has access to your IdP)
Beekeeper Service Provider details
The details for Beekeeper as a SAML Service Provider are given below.
- ACS URL: https://your_company.beekeeper.io/saml/sso
- Entity ID: https://your_company.beekeeper.io/saml/sso/metadata.xml
- Name ID Format: Persistent
Beekeeper will automatically use the Name-ID from your IdP and set it as the User-ID in Beekeeper.
You can find the metadata for your Beekeeper app as a link in the admin dashboard, under Settings > General > Single Sign-On (the URL is the same as the Entity ID given above).
Mapping user information
You can map additional fields from your IdP into Beekeeper by configuring your SAML claims to any of the following Beekeeper placeholders:
SSO and user synchronisation
One thing to note is that SSO is not user synchronisation. If a user successfully authenticates through SSO but does not yet have a Beekeeper account, one will be provisioned for them, automatically populated with values from the IdP.
You would still need to set up a user synchronisation method to keep your user data up to date. With SSO, user information is only checked upon login, which means that if you delete or suspend a user in your IdP, they will still have access to the app until they log out.
If you want to restrict access to Beekeeper and only allow a certain group of users to log in, you can do so within your IdP configuration.
I can’t see SSO option in admin dashboard: Please contact us by using the link below to submit your request or your Customer Success Manager to have the SSO feature enabled for your Beekeeper app.
I already have a Beekeeper account, but a new one is created when I login with SSO: If you login with SSO and find yourself with a different user profile, it is likely that the Name ID configured from the IdP does not match your Beekeeper User-Id. Update the user IDs of all your existing users to match the Name ID values that will be sent from the IdP before activating SSO.
I'm getting 400: Bad Request errors when syncing. What can I do? If you have previously generated a SAML Signing Certificate and since changed your mappings, it may be out of date and you should regenerate it (particularly if you are using Azure AD). Remember to refresh the metadata configured in the admin dashboard after creating a new certificate.
The Beekeeper User-ID does not reflect the IdP NameID: Please ensure that you have set the Name ID Format of your SAML configuration to "Persistent".