Skip to main content

How to: Setup SAML Authentication with Read AI

Updated

 

Overview

This document will guide you through the process of acquiring an ACS URL and Entity ID, and configuring your SAML application with Read. By following the outlined steps, you can set up the necessary parameters for the SAML SSO flow in your workspace. Once set up is complete, Read will enable SAML for your workspace. Please note that SAML authentication is only available for Enterprise+ subscribers.

The steps vary slightly depending on whether you're configuring this for your Google Workspace, or if you're using Microsoft Entra, so make sure to follow the correct section below.

This article is about SAML-based authentication specifically, if you're looking for the standard SSO options available on Read's sign in page, see How does single sign-on (SSO) work with Read?

 

Steps for Google Workspace

1. Request an ACS URL and Entity ID from support@read.ai

Send an email to support@read.ai with the subject "GOOGLE SAML REQUEST: <Your company name>", from your Read.ai account affiliated email asking for the ACS url for your workspace. We will reply back with the following information:

  • Entity ID: https://api.read.ai
  • ACS URL: https://api.read.ai/saml/acs?cid={YOUR_CID}

2. Set up your SAML Application

a) Send your SSO URL, Entity ID, and Certificate to support@read.ai.

As you setup your SAML application you should see your identity provider’s SSO URL, Entity ID, and Certificate. Please send these values to support@read.ai.

See below for how this looks with a Google Workspace Identity Provider SAML app. You may provide the IdP metadata as a an .xml filer if you prefer.7ba75ff3-e4a0-44ac-af0c-b2261cb0298e.png

b) Set the Name ID to Primary Email

The Name ID should be set to the primary email. See the following example of a Google Workspace Example:

  • "EMAIL" format with a value of "Basic Information > Primary Email".c31761b4-8a81-4f6a-823f-c5aad1dddc7a.png

c) Set the First and Last Name Attributes

Our SAML configuration expects access to first_name and last_name attributes. See below for how this works with a Google Workspace setup:

  • "Basic Information > First Name" with a mapping to "first_name" (no quotes)

  • "Basic Information > Last Name" with a mapping to "last_name" (no quotes)

988e650b-b3bc-4a67-81bc-b5c294a71594.png

3. Read Support will confirm that the SAML config has been set for your workspace

Read will finalize your workspace's SAML configuration and confirm via email. Once confirmation has been received you will be able to exercise the SAML SSO flow. Google Workspace has a “Test Login“ button that will allow you to login to read.ai and confirm everything is working.

4. [Optional] Have Read disable other login methods

As an optional final step, if you would like to restrict your users to only logging in via SAML, please let us know at support@read.ai and we will configure this for your workspace. If this is enabled, users who try to log in to Read normally will be automatically redirected to your SAML login flow.

 

Steps for Microsoft Entra

1. Request an ACS URL and Entity ID from support@read.ai

Start by sending an email to support@read.ai with the subject "MICROSOFT SAML REQUEST: <Your company name>", from your Read.ai account affiliated email asking for the ACS url for your workspace. We will reply back with the following information:

  • Entity ID: https://api.read.ai

  • ACS URL: https://api.read.ai/saml/acs?cid={YOUR_CID}

2. Create your Enterprise Application

In this step you will set up a new application in Microsoft Entra for Read:

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.

  2. Browse to Identity > Applications > Enterprise applications.

  3. Select New application and then Create your own application.

  4. Add a name for the app. For example, “Read AI SAML”.

  5. Select the Integrate any other application you don't find in the gallery (Non-gallery) option

  6. Finally, select Create.

3. Connect Read to your Enterprise Application

In this step, you will start to configure your application and send some key information back to Read Support:

  1. Navigate to the Enterprise Application you just created and click on Single sign-on in the left hand menu.

  2. Select the SAML option and configure as following.

  3. Add an Entity ID of https://api.read.ai

  4. Add the ACS URL you recieved from support@read.ai. It will look like https://api.read.ai/saml/acs?cid={YOUR_CID}

  5. Ensure the Attributes & Claims are as shown:

    1. Screen Shot 2023-10-30 at 2.58.21 PM-20231030-185826.png
  6. Send your Login URL, Microsoft Entra Identifier, and Certificate (Base64) to support@read.ai
    1. Screen Shot 2023-10-30 at 3.03.33 PM-20231030-190336.png

4. Complete your setup after receiving confirmation from Read Support

Once support@read.ai has received your Login URL, Microsoft Entra Identifier, and Certificate (Base64) a confirmation email will be sent indicating that you can complete the SAML setup.

Please add a user to the app and run a test. Please contact support if any unexpected errors appear.

Screen Shot 2023-10-30 at 3.04.56 PM.png

5. [Optional] Have Read disable other login methods

As an optional final step, if you would like to restrict your users to only logging in via SAML, please let us know at support@read.ai and we will configure this for your workspace. If this is enabled, users who try to log in to Read normally will be automatically redirected to your SAML login flow.

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk