• How it works
• Prerequisites
• Step-by-step instructions
• Related articles

If your workspace has enabled SAML authentication for Read AI, you have access to an additional setting called "Enforce SAML on Verified Domains" in your workspace settings. This is essentially a version of domain capture that works directly with your SAML configuration.

How it works

Enforcing SAML will require that any user in your domain(s) who tries to create an account or sign in to Read AI must be authorized to access Read AI via your SAML configuration. When anyone logs in to Read AI whose email domain is one that you have claimed and verified for your workspace, they will be redirected to your SAML login page.

If they are authorized to log in to Read AI in your SAML app configuration, then Read AI will check if they are a member of your workspace:

• If they are currently a member, they'll be logged in.
• If they are not currently a member, but your workspace has unused licenses, then they will be immediately added to the workspace and logged in.
• If they are not currently a member and your workspace has no unused licenses, they'll receive an error message and be blocked from logging in.

If they are not authorized to log in to Read AI in your SAML app configuration, then they'll receive an error message and be blocked from logging in.

Prerequisites

In order to enforce SAML authentication, you'll need:

• a Read AI workspace with the Enterprise+ subscription
• a functioning SAML integration - make sure you've tested and confirmed it works
• verified ownership of the domain(s) you want to capture
• someone who is an admin in your Read AI workspace

Step-by-step instructions

1. Have an admin go to to Workspace Settings and expand the Advanced (Enterprise+ Required) section:
   
   
    
2. Make sure you have already added and verified all domains that you want to capture users from (based on their email address).
3. Turn on the Enforce SAML on Verified Domains
   
   
    
4. Test to confirm that it works - have someone with an email in your verified domain(s) log in to Read AI from the regular sign in page. After signing in with their email and password, or with one of the other SSO options, they should be automatically redirected to your SAML login page.

As always, please reach out to Read AI Support if you need any assistance.

Related articles

• How to: Setup SAML Authentication with Read AI
• Enforcing SAML for users in your domain
• Configuring domain capture for your Workspace
• How does billing work with a Workspace?