If your Workspace has enabled SAML authentication for Read, you have access to an additional setting called "Enforce SAML on Verified Domains" in your Workspace settings. This is essentially a version of domain capture that works directly with your SAML configuration.
How it works
Enforcing SAML will require that any user in your domain(s) who tries to create an account or sign in to Read must be authorized to access Read via your SAML configuration. When anyone logs in to Read whose email domain is one that you have claimed and verified for your Workspace, they will be redirected to your SAML login page.
If they are authorized to log in to Read in your SAML app configuration, then Read will check if they are a member of your Workspace:
- If they are currently a member, they'll be logged in.
- If they are not currently a member, but your Workspace has unused licenses, then they will be immediately added to the Workspace and logged in.
- If they are not currently a member and your Workspace has no unused licenses, they'll receive an error message and be blocked from logging in.
If they are not authorized to log in to Read in your SAML app configuration, then they'll receive an error message and be blocked from logging in.
Prerequisites
In order to enforce SAML authentication, you'll need:
- a Read Workspace with the Enterprise+ subscription
- someone who is an admin in your Read Workspace
- A functioning SAML integration - make sure you've tested and confirmed it works
- At least one verified domain - follow all the steps to enable domain capture, except you can skip the last step of turning on the "Enable Domain Capture" setting
Step-by-step instructions
-
Have a Workspace admin go to to Manage Workspace > Settings and expand the Advanced (Enterprise+ Required) section:
- Turn on the Enforce SAML on Verified Domains
- Test to confirm that it works - have someone with an email in your verified domain(s) log in to Read from the regular sign in page. After signing in with their email and password, or with one of the other SSO options, they should be automatically redirected to your SAML login page.
As always, please reach out to Read Support if you need any assistance.