Read supports a number of different options for configuring single sign-on using SAML, only available to Enterprise+ subscribers. This page explains the step by step process for setting up SAML authentication with Okta. See How to: Setup SAML Authentication with Read AI for a list of other supported SAML providers.
1. Request an ACS URL and Entity ID
Start by sending an email to support@read.ai with the subject "OKTA SAML REQUEST: <Your company name>", from your Read.ai account affiliated email asking for the ACS url for your workspace. We will reply back with the following information:
-
Entity ID:
https://api.read.ai
2. Set up your SAML App in Okta
a) On the Applications page click “Create App Integration” and select “SAML 2.0”
b) Choose a name for the integration then click “Next”
c) Configure the SAML Setup
Please update the SAML Settings and Attribute Statements as follows. Any field not described below or shown to be updated in the screenshot can be left as the default value.
- The “Single sign-on URL” value is the ACS URL that you received in step one from support@read.ai
- The “Audience URI (SP Entity ID)” is the same for everyone and is “https://api.read.ai” as shown below
- The “Name ID format” needs to be set to “EmailAddress”
- Two Attribute Statements need to be added:
- “first_name” with a format of “Basic” and a value of “user.firstName”
- “last_name” with a format of “Basic” and a value of “user.lastName”
d) Complete the Feedback step and Finish Setup
3. Send your Sign On URL, Issuer ID, and Certificate to support@read.ai
Navigate to the “Sign On” tab on the application page you just created and click on “more details” to reveal the following values that should be sent to support@read.ai to complete your SAML setup with Read.
- Sign On URL
- Issuer
- Signing Certificate
4. Read Support will confirm that the SAML config has been set for your workspace
Read will finalize your workspace's SAML configuration and confirm via email. Once confirmation has been received you will be able to exercise the SAML SSO flow. Be sure to assign a user to the application to enable the testing via the user’s application portal.
5. [Optional] Have Read disable other login methods
As an optional final step, if you would like to restrict your users to only logging in via SAML, please let us know at support@read.ai and we will configure this for your workspace. If this is enabled, users who try to log in to Read normally will be automatically redirected to your SAML login flow.