Single Sign-On (SSO)
Set up SAML-based SSO for the Bytescale Dashboard using your identity provider.
Single Sign-On (SSO) is an Enterprise Plan feature. Please contact support for more information.
Bytescale uses your IdP for authentication only:
All authorization, including account membership, invitations, and roles, is managed in the Bytescale Dashboard.
Any groups assigned by your IdP will be ignored.
Users signing in with @yourdomain.com can continue to be members of multiple accounts, and do not need to be members of the account that owns the IdP configuration for your email domain. In all cases, any user signing in with @yourdomain.com will be required to sign-in using your IdP before they can access any of the accounts they are a member of.
Signing in with @yourdomain.com does not automatically grant account membership to the account that owns the IdP configuration. Users must be explicitly invited via Security → Team Members, even if they successfully authenticate with the IdP configured in your account.
You will need admin access to your IdP and the ability to create new DNS TXT records for the email domain(s) you want to route through SSO.
Bytescale requires these SAML attributes:
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstName
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastName
Set the SAML Name ID Format to Unspecified.
Set the SAML Name ID to an immutable value (ideally a user ID from your IdP).
If using a user ID isn’t possible, you may use the user’s email address instead—but be aware that if the email address changes, Bytescale will treat the user as a new user, and you will need to re-invite them to your Bytescale Account.
Open the Bytescale Dashboard SSO page: https://www.bytescale.com/dashboard/security/sso
Click "Add Identity Provider".
Enter a display name and the email domains that should use this IdP.
In your IdP, set the ACS URL and Entity ID using the values shown in the Bytescale SSO modal.
Configure the required SAML attributes in your IdP.
Download the IdP metadata XML (from your IdP) and paste it into the Bytescale SSO modal.
Optional: If you enable request signing or response encryption, download the Bytescale certificates from the SSO IdP table after creating the IdP, then configure your IdP to trust them.
Save the IdP.
Verify each email domain by clicking it in the SSO IdP table.
Bytescale will not use your IdP until the domain is verified, and it will check the domain for up to 72 hours.
Pick your identity provider to continue:
