Split implements single sign-on (SSO) using the SAML 2.0 protocol. Security assertion markup language (SAML) is an XML-based data format that makes it easier for your users to log in to their Split account using your organization's identity provider (IdP). With SAML, users can sign in to multiple software applications using the same login details.
Configuring SAML for your Split account lets you and your teammates log into Split using the credentials stored in your organization's active directory, LDAP, or other identity stores that are configured with a SAML IdP.
For more information about configuring specific IdPs, refer to the following guides:
If you are a Split Administrator, configure SAML as follows:
- From the left navigation, select the workspace and click Admin Settings.
- Click Security and then the SAML tab.
- Add your IdP metadata to the text area.
- Enable or disable SAML strict mode.
- Enable or disable Just-in-time provisioning.
- Click the Save button.
Update SAML session settings
You can update your SAML session settings by doing the following:
- Click the Session settings tab. The timeout value page opens.
- Select a new timeout value and click Update.
About SAML strict mode
If you enable SAML strict mode, all users must use SAML to log into Split. Any existing Split usernames and passwords, or alternatives such as Google OAuth, are not valid. To test your SAML configuration before forcing all users in your organization to log in using your IdP, leave this disabled before rolling out the change to your organization. You can then enable it in the future.
Note: You can enable or disable SAML strict mode at any time.
About just-in-time user provisioning
Under most circumstances, users must be invited to Split, even for organizations where SAML is enabled. If a user has not been invited to Split using your organization's IdP, Split validates the SAML assertion, but the user is redirected to an error page because that user does not exist in Split.
To eliminate the need of creating and inviting users in advance, enable just-in-time provisioning. This provisioning uses a SAML assertion to create a Split user on the fly the first time a new user attempts to log in. Note that new users cannot sign in using Split's login screen until they access Split from your IdP.
To disable your SAML settings, click Disable in the top right of the enabled banner.
When you disable SAML, members need to sign in to Split with their username and password. If a user is provisioned with just-in-time provisioning, they can reset their password on the login screen to sign into Split.