This guide is intended for Admins setting up SSO SAML with Azure AD.
When you configure Single Sign-on (SSO) with Azure AD, your users will be able to create and sign into their Baserow accounts using Azure AD.
If you are looking for information on setting up SSO with other providers:
Instance-wide admin panel, SSO, Payment by invoice, Signup rules, and Audit logs are features only available for Baserow paid plans. Get in touch with us here if you’re interested in learning more about paid pricing.
Here’s how to set up Azure AD to sign in to your Baserow account.
To set up SSO SAML with Azure AD in Baserow, you need:
To add an enterprise application to your Azure AD tenant, sign in to the Azure Active Directory Admin Center.
In the Azure portal, select Azure Active Directory > Enterprise applications and select New application. Then click + Create your own application.
Enter the display name for your new application, select Integrate any other application you don’t find in the gallery, and then select Create to add the application.
In the left menu of the app’s Overview page, select Single sign-on.
Select SAML as the single sign-on method.
The Set Up Single Sign-On with SAML page will then open.
Go back to Azure and the Set Up Single Sign-On with SAML page.
In the first section titled Basic SAML Configuration, click the Edit button.
Paste the Single Sign on URL you copied from Baserow into the top three fields:
Go back to Baserow and the previously opened Add a new SSO SAML provider modal and now copy the Default Relay State URL.
Go back to Azure and paste the Default Relay State URL from Baserow into the Relay State field in Azure.
Leave the Logout URL empty as Baserow does not yet support single sign out.
Finally, click Save in Azure, your end result should look something like the following screenshot:
Go to the second section in Azure titled Attributes & Claims, then click the Edit button
On the new Attributes & Claims page click Add New Claim.
Type ‘user.email’ in the Name field
In the Source attribute dropdown, select user.mail
Click Save
Click Add New Claim again
Type ‘user.first_name’ in the Name field
Select user.givenname from the Source attribute dropdown.
Click Save
The end result of your Attributes & Claims page in Azure should now look something like this:
Click the X close button in the top right of the Attributes & Claims page in Azure to get back to the Set Up Single Sign-On with SAML page.
Next in the third section titled SAML Certificates next to Federation Metadata XML click Download.
Open the download XML file in a text editor.
<RoleDescriptor
all the way up to and including the very last </RoleDescriptor>
in the metadata file.
For example, given the following example metadata file
<ExampleMetaDataHere><SomeOtherData/><RoleDescriptor...>..</RoleDescriptor><RoleDescriptor...>.</RoleDescriptor></ExampleMetaDataHere>
The end result should look like the below, without any RoleDescriptor sections.
<ExampleMetaDataHere><SomeOtherData/></ExampleMetaDataHere>
If you are having trouble with this step please ask for help by asking your Baserow sales rep.
Go back to Baserow and the previously opened Add a new SSO SAML provider modal. Paste the contents of the edited file you just copied into the metadata box and click Save.
Go back to Azure and in the left sidebar click User and workspaces.
Click Add user/workspace and on the Add Assignment page that opens select all users and workspaces you wish to be able to login to your Baserow server, then click Assign.
You should be able to log in with Azure AD after completing these steps by visiting your Baserow servers login page. Your users will now be taken to an Azure AD sign-in flow when they attempt to log into Baserow. After logging in with their Azure AD credentials, they will be redirected to the app.
If you’re looking for something else, please feel free to make recommendations or ask us questions in our online community —we’re ready to assist you!