Security assertion markup language (SAML) is an XML-based data format that makes it easier for your users to log in to their Split account using your organization's identity provider (IdP). With SAML, users can sign in to multiple software applications using the same login details.
Configuring SAML for your Split account lets you and your teammates log in to Split using the credentials stored in your organization's active directory, LDAP, or other identity stores that are configured with a SAML IdP.
Split implements single sign-on via the SAML 2.0 protocol. For more information about configuring specific IdPs, refer to the following guides:
If you are a Split Administrator, you can configure SAML in the Security section of Admin Settings.
- Go to Admin Settings > Security > SAML.
- Add your IdP metadata to the text area.
- Enable/disable SAML strict mode.
- Enable/disable just-in-time user provisioning.
- Click Save.
SAML strict mode
If SAML strict mode is enabled, all non-admin users must use SAML to log in to Split. Any existing Split username/password, or alternatives such as Google OAuth, are not valid. Note that admins retain access to alternatives in case you need to fix issues with SAML.
If you want test your SAML configuration before forcing all users in your organization to log in via your IdP, leave this disabled and enable it at a future date. With strict mode disabled, you can test the SAML configuration before rolling out the change to your entire organization.
You can enable/disable SAML strict mode at any time.
Just-in-time user provisioning
Under most circumstances, users must be invited to Split, even for organizations where SAML is enabled. If a user that has not been invited to Split via your organization's IdP, Split validates the SAML assertion, but the user is redirected to an error page because that user does not exist in Split.
To eliminate the need to create and invite users in advance, enable just-in-time provisioning to use a SAML assertion to create a Split user on the fly the first time a new user tries to log in. Note that new users cannot sign in via Split's login screen until they have accessed Split from your IdP.
If you want to disable your SAML settings, click Disable in the top right of the enabled banner. You can also update your SAML settings and click Save at any time.
When SAML is disabled, members need to sign in to Split with their username and password. If the user was provisioned via just-in-time provisioning, the user can reset their password on the login screen to sign into Split.