Skip to main content

Search

Single Sign-On (SSO) Authentication

a31548 a722e2

Multi-Factor Authentication (MFA) is enforced for all users with elevated access, including both predefind and custom roles. For other driver or user accounts, you can set up Single Sign-On (SSO) to use a single identity provider (IdP) to manage access to Samsara resources. With SSO, users can log in using their corporate credentials without needing to remember separate passwords for Samsara.

Because IT administrators manage sensitive login information through one IdP system, using SSO reduces the security risk footprint. Samsara supports federated identity through Google Authentication or third-party SSO providers such as Okta or Microsoft Entra.

To set up SSO, create a configuration for drivers and administrators using metadata from Samsara and your IdP. If you plan to use SSO for both audiences, set up a separate SAML application for each.

Note

Periodically, you will need to renew the x.509 certificate. To prevent access disruption due to an expired certificate, it is recommended to generate and replace the certificate before it expires. For more information, see Renew an x.509 Certificate.

Set up SSO for Drivers

If you want your drivers to use SSO to log in to the Samsara Driver App, set up a separate SAML application in your IdP using the following workflow:

  1. Verify your domain for secure SSO authentication.

    You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.

  2. Select the Settings icon (gear icon) at the bottom of your Fleet menu to view dashboard settings.

  3. In Organization, select Single Sign-On.

  4. In the Single Sign-On (SSO) for Driver Login section, click Add.

  5. Click Copy next to the Samsara metadata URL and share it with your IdP administrator.

    If your IdP doesn’t accept the metadata URL, expand the details to retrieve the Service Provider Entity ID, Post-back/ACS URL, and SAML Attribute for the driver’s username and to define the SSO configuration in your IdP.

    • Name: driver_username

    • Namespace: https://cloud.samsara.com/saml/attributes

    • Source attribute

    This information can also be used to define the SSO configuration with your IdP.

  6. Provide either the metadata URL or upload a metadata file from your IdP.

  7. Save your changes when finished.

Set up SSO for Samsara Administrators

If you want your administrators to use SSO to log in to the Samsara dashboard, set up a separate SAML application in your IdP using the following workflow:

  1. Verify your domain for secure SSO authentication.

    You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.

  2. Select the Settings icon (gear icon) at the bottom of your Fleet menu to view dashboard settings.

  3. In Organization, select Single Sign-On.

  4. In the Single Sign-On (SSO) for User Login section, click Add.

  5. Click Copy next to the Samsara metadata URL to record the URL for use by your identity provider. Send that URL to the administrator for your IdP.

    If your IdP doesn’t accept the metadata URL, you can expand the details to retrieve the Service Provider Entity ID, Post-back/ACS URL, and SAML Attributes for user identification and to define the SSO configuration in your IdP.

  6. Retrieve the metadata from the IdP.

    You can provide either a metadata URL or you can update a metadata file provided by the IdP.

  7. Save your changes when finished.

Set the Authentication Type for Users

If your organization has users currently using basic authentication, you must also convert the account type to enable these users to use SSO. You can choose two methods for this conversion: using the direct URL (described later in this document), or an API method where admins update user authentication types programmatically.

Convert existing users who log in using basic authentication to use SSO using one of the following methods:

  • Direct login. Have users log in to the IdP or use the direct SSO URL from Samsara.

    • https://cloud.samsara.com/signin/<orgid>

    • https://cloud.eu.samsara.com/signin/<orgid>

    Where <orgid> is the unique ID for your organization. This login will convert a user's authentication method from basic authentication to single sign-on.

    After the user logs in, the account is automatically converted to use SSO for future authentication attempts.

  • Samsara API. Use the Samsara API to update the user authentication type from Basic to SAML. Refer to the API documentation for the required endpoint and parameters.

Choose the method that best fits your organizational workflow to ensure a seamless transition to SSO for all users.

Integrate Microsoft Entra as your IdP

Samsara supports integration with Microsoft Entra (formerly known as Azure). For detailed instructions on creating a SAML integration, see Tutorial: Microsoft Entra single sign-on (SSO) integration with Samsara.

Before you configure authentication, make sure you have access to both the Samsara dashboard and the Microsoft Entra Admin Center. Use the following workflow to set up SSO with Microsoft Entra:

  1. Verify your domain for secure SSO authentication.

    You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.

  2. In Samsara, create a separate SSO configuration for administrators, drivers, or both:

  3. In Microsoft Entra, set up a new SAML application for Samsara.

    1. Navigate to Identity > Application > Enterprise applications.

    2. Select + New application.

    3. + Create your own application.

      1. Enter the name of application Samsara.

      2. Select Integrate any other application you don't find in the gallery (Non-gallery).

      3. Create the app.

    4. Assign users and groups.

      1. Click + Add user/group.

      2. Under Users, click None Selected.

      3. Select the users you want to add, and then click Select.

      4. Click Assign.

    5. Configure SAML.

      1. In the side navigation, select Overview.

      2. Select Get Started in the Set up single sign on box.

      3. Click SAML.

      4. Select Edit in the Basic SAML Configuration to add the SAML fields provided by your Samsara Admin.

        Copy the link from Service Provider Entity ID into the Identifier (Entity ID) field.

        Copy the link from Post-back/ACS URL to the Reply URL (Assertion Consumer Service URL) field.

      5. Save your changes.

    6. Add claims for the required Samsara user attributes.

      sso-entra-idp-manage-claim.png

      To assert certain properties or characteristics of the user during the authentication process, you must define claims for both the user’s email and name. If you also want to assign a role or tags during login, define additional claims for those values:

      1. Select Edit in the Attributes & Claims section.

      2. Click Add a new claim.

      3. To define the claim, select Edit in the Attributes & Claims section and Add a new claim for each of the Samsara user attributes.

        • Name attribute: We recommend you configure the Source attribute for name to the value that you would like to be mapped to Samsara's name. For example, you can use user.displayname as your source attribute.

        • Email attribute: We recommend you configure the Source attribute for email to the value that you would like to be mapped to Samsara's name. For example, you can use user.mail as your source attribute.

      4. (Optional) To assign roles or tags during login, define additional claims in Microsoft Entra and map them to the correct values using claim conditions. Use the following workflow to configure claim behavior:

        1. In the User Attributes & Claims section, add the following claims:

          • https://cloud.samsara.com/saml/attributes/role_name

          • https://cloud.samsara.com/saml/attributes/role_tags

        2. For each role_name and role_tags claim:

          1. Set User type to Members.

          2. Click Select groups and choose the group or groups to apply the claim to.

            To simplify configuration and future maintenance, we recommend using a consistent naming convention for group names.

          3. Set Source to Attribute.

          4. Enter the role or tag name in the Value field.

            Quotation marks are added automatically.

          5. Click Save to finish creating the claim.

      5. Click Save to apply the full SAML configuration.

  4. To complete the connection between Microsoft Entra and Samsara, upload the IdP metadata to the appropriate SSO configuration in the Samsara dashboard:

    1. In Microsoft Entra, copy the App Federation Metadata URL or download the metadata XML file.

    2. In the Samsara dashboard, open the relevant SSO configuration (administrator or driver).

    3. Paste the metadata URL or upload the file.

    4. Click Save to apply the changes.

Integrate Okta as your IdP in Samsara

Before you configure authentication, make sure you have access to both the Samsara dashboard and your Okta Admin Console, and then set up SSO with Okta using the following workflow:

  1. Verify your domain for secure SSO authentication.

    You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.

  2. In Samsara, create a separate SSO configuration for administrators, drivers, or both:

  3. For each configuration set up in the prior step, copy the following SSO connection settings for use in Okta:

    • Single sign-on URL: Post-back/ACS URL (Assertion Consumer Service)

    • Audience URI: Service Provider Entity ID

  4. In your Okta Admin Console, create a SAML 2.0 internal app integration using the settings copied from the prior step.

    For full instructions, see the Okta documentation.

    okta-sso-app-settings.png

  5. Configure the following attributes to ensure proper authentication for each user type:

    • For administrators:

      • https://cloud.samsara.com/saml/attributes/email: user.mail

      • https://cloud.samsara.com/saml/attributes/name: user.displayName

        If your IdP doesn’t support a full name field, you can construct one using user.firstName+" "+user.lastName. In some cases, you may need to use regex formatting or Okta Expression Language to properly format the value.

    • For drivers:

      • https://cloud.samsara.com/saml/attributes/driver_username: your driver login identifier field

  6. (Optional) To assign roles or tags during login, define custom attributes in Okta and map them to the correct values. Use the following workflow to configure SAML attribute passing:

    1. Add the following SAML attributes to your Okta app integration:

      These attributes are included in the SAML assertion and used by Samsara to assign roles and tags during login.

      • https://cloud.samsara.com/saml/attributes/role_name: appuser.samsaraRole

      • https://cloud.samsara.com/saml/attributes/role_tags: appuser.samsaraRoleTags

    2. Define the custom attribute in Okta to support appuser.samsaraRole:

      1. From the app’s Sign On tab, click Configure Profile Mapping.

      2. If a modal appears with existing mappings, close it to access the Profile Editor.

      3. In the Profile Editor, click + Add Attribute.

      4. Enter the following values:

        • Data Type: string

        • Display name: Samsara Role

        • Variable name: samsaraRole

        • Enum: Enabled; add the names of the Samsara roles you plan to assign

        • Attribute Required: Yes

        • Scope: Enable User personal

  7. To complete the connection between Okta and Samsara, upload the IdP metadata to the appropriate SSO configuration in the Samsara dashboard:

    1. In Okta, copy the App Federation Metadata URL or download the metadata XML file.

    2. In the Samsara dashboard, open the relevant SSO configuration (administrator or driver).

    3. Paste the metadata URL or upload the file.

    4. Click Save to apply the changes.

Other IdPs

While Samsara officially supports Microsoft Entra and Okta as IdPs, you can also use many other identity providers that support the SAML 2.0 protocol. As other IdPs have not yet been tested, Samsara cannot ensure full compatibility at this time. To test an IdP on your own, create a SAML connection from the Samsara dashboard.

  1. Verify Domains for Secure SSO Authentication.

    You must complete domain verification before enabling SSO. Only users with verified domains will be able to access the organization.

  2. Configure your desired SSO options:

    Samsara recommends that you import the Samsara metadata SAML configuration instead of manual configuration, if you able to do so for your IdP.

  3. Configure SAML attributes.

    Name

    Value

    https://cloud.samsara.com/saml/attributes/email

    User's email

    https://cloud.samsara.com/saml/attributes/name

    User's name

  4. Add the Samsara Admin as a user to the new application.

  5. Exchange the metadata information from Samsara with the IdP to complete the configuration.

Samsara JIT Provisioning

Just-in-Time (JIT) provisioning leverages the SAML protocol to automate user account creation for various web applications. It works by passing user information from an Identity Provider (IdP), such as Okta or Microsoft Entra. When a new user signs in to an authorized application for the first time, such as the Samsara dashboard, the IdP sends the necessary details to the application, automatically creating the user's account—eliminating the need for manual administrator intervention.

Samsara supports JIT provisioning for two types of accounts:

  • Samsara dashboard users: When a new administrator logs in for the first time using Single Sign-On (SSO) through your IdP, the Samsara dashboard automatically provisions an account with the least privileged role—the Maintenance role. This account is granted tag access to the Entire Organization by default. If the administrator requires a different role or specific tag access, it is recommended to add or update the administrator using CSV with the appropriate role and tag access.

  • Drivers: Samsara also supports JIT provisioning for driver SSO. When a driver signs in for the first time using SSO, their account is automatically created in the dashboard. The system maps the driver's username to the value of the driver_username attribute in your IdP, ensuring seamless access without manual provisioning.

When implementing JIT provisioning with SSO, be aware that provisioning may not function as expected if a user's email address is associated with multiple organizations. JIT provisioning typically creates or updates user accounts based on unique email identifiers. If an email is linked to multiple organizations, conflicts may arise, leading to provisioning errors or access issues.

To prevent these issues, ensure that each user's email address is unique within your organization’s domain. If users need access to multiple organizations, consider using distinct email aliases or coordinating with your IdP to manage multi-organization access effectively.

Migrate Your SSO Connection

If you set up SSO using the SAML experience that was available prior to November 20, 2024, you must migrate to the new SSO experience by September 19, 2025 to avoid sign-in disruptions. To learn more, see Migrate Your SSO Connection.

Remove an SSO Configuration

If you need to delete an existing SSO configuration from your Samsara dashboard, please contact Samsara Support for assistance.

Currently, the dashboard does not support self-service deletion of SSO configurations to ensure the security and integrity of your organization's authentication setup. Our support team will guide you through the process to safely remove the SSO configuration, as needed.

Comments

0 comments

Article is closed for comments.

Powered by Zendesk