Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.pipeshub.com/llms.txt

Use this file to discover all available pages before exploring further.

SAML SSO lets your users log in to PipesHub using your organization’s existing Identity Provider (IdP) — such as Okta, Azure AD, OneLogin, or Google Workspace — without needing a separate password.
SAML configuration requires admin access to both PipesHub and your Identity Provider.

Configuring SAML SSO

Step 1 — Register PipesHub in Your Identity Provider

Before configuring SAML in PipesHub, you need to add PipesHub as an application in your IdP.
  1. Log in to your IdP’s admin console (e.g. Okta, Azure AD, OneLogin, Google Workspace)
  2. Create a new SAML application (often called “Add Application” or “Create App Integration”)
  3. Set the Single Sign-On URL (ACS URL) — copy this value from the PipesHub SAML configuration panel
  4. Set the Audience (Entity ID) — copy this from the PipesHub configuration panel as well
  5. Configure attribute mappings to include the user’s email address in the SAML response
  6. Save the application and note the following — you’ll need them in Step 3:
    • SSO Entry Point URL (your IdP’s login URL)
    • X.509 Certificate (your IdP’s signing certificate)
    • IdP Metadata XML (optional — can be uploaded to auto-fill the fields above)
Example: Setting up in Okta
SAML ACS URL configuration in Okta
Example: Setting up in OneLogin
SAML ACS URL configuration in OneLogin
SAML credentials in OneLogin

Step 2 — Find Your Email Attribute Key

Your IdP includes the user’s email in the SAML response, but different providers use different attribute names for it. You need to enter the correct name in PipesHub so it can identify your users. Option A: Check your IdP settings
  1. Log in to your IdP admin console
  2. Open the SAML app you created and go to Attribute Mapping or Claims
  3. Note the attribute name used for the user’s email
Option B: Inspect a live SAML response
  1. Install SAML Tracer (Chrome/Firefox extension)
  2. Perform a test login and capture the SAML response
  3. Look for the attribute containing the email address
Common email attribute names by provider:
Identity ProviderEmail Attribute Name
OktaNameID
Google Workspaceemail
OneLoginNameID / User.Email
Custom IdPCheck your IdP settings

Step 3 — Configure SAML SSO in PipesHub

  1. Go to Workspace → Authentication
Only workspace admins can access Authentication Settings.
  1. Find the SAML SSO row and click the gear icon to open the configuration panel
SAML SSO configuration panel
  1. Fill in the configuration fields:
FieldRequiredDescription
ACS URLAuto-generated. Copy this into your IdP when setting up the application.
IdP Metadata XMLNoUpload your IdP’s metadata file to auto-fill the fields below.
SSO Entry PointYesYour IdP’s login URL (copied from Step 1).
X.509 CertificateYesYour IdP’s signing certificate (copied from Step 1).
Email Attribute KeyYesThe attribute name for the user’s email (from Step 2).
Entity IDNoYour Service Provider entity ID (optional).
Logout URLNoYour IdP’s logout URL (optional).
Provider NameNoA label like “Okta” or “Azure AD”. If set, the login button shows “Continue with [Provider Name]”.
Just-in-Time ProvisioningNoWhen enabled (default), users who exist in your IdP but not in PipesHub are automatically created on their first login.
The Save button stays disabled until all three required fields are filled in.
  1. Click Save
  2. Click Edit on the Authentication Settings page, toggle SAML SSO on, and click Save to activate it
Only one authentication method can be active at a time. Turn off any currently active method before enabling SAML SSO.

Logging In with SAML SSO

Once SAML SSO is enabled, users can log in as follows:
  1. Go to the PipesHub login page
  2. Click Sign in with SSO (or Continue with [Provider Name] if a provider name was configured)
  3. You’ll be redirected to your organization’s IdP login page
  4. Enter your corporate credentials
  5. You’ll be automatically redirected back to PipesHub and logged in

Troubleshooting

IssueWhat to Do
SSO button is not visible on the login pageCheck that SAML SSO is enabled in Workspace → Authentication
Login fails after entering IdP credentialsVerify the SSO Entry Point URL and X.509 Certificate are correct in the configuration panel
”JIT Disabled” error on first loginAsk your admin to enable Just-in-Time Provisioning, or have your admin create your account in PipesHub manually
Login redirects back to login page with an errorEnsure the Email Attribute Key matches the attribute name your IdP uses for email