Single Sign-On
How to connect Unblocked with your SSO provider
Centralize your team’s access to Unblocked by connecting it to your Single Sign-On (SSO) provider. Unblocked supports SSO integrations with Okta, Google Workspace, Microsoft Entra ID, AWS Identity Center, and any other SAML 2.0 compliant provider.
Configure Single Sign-On
To connect Unblocked with your SSO provider:
- Navigate to the Settings section of the Unblocked web app.
- Under Team Settings, select Security.
- Locate the Single Sign-On section and click Configure.
- To complete the setup, follow the specific instructions relevant for your identity provider.
AWS Identity Center
Configure Unblocked with AWS Identity Center.
Google Workspace
Configure Unblocked with Google Workspace.
Microsoft Entra ID
Configure Unblocked with Microsoft Entra ID.
Okta
Configure Unblocked with Okta.
Other SAML Providers
Configure Unblocked with other SAML 2.0 providers.
Configure AWS Identity Center
Create an AWS Identity Center application
From IAM Identity Center, navigate to the Applications tab, and click Add application.
Under Setup preference, select I have an application I want to set up.
Under Application type, select SAML 2.0.
Click Next and enter Unblocked as the application name.
Configure IAM Identity Center metadata
Copy the following information from the IAM Identity Center metadata section and paste it into Unblocked.
- IAM Identity Center sign-in URL
- IAM Identity Center SAML issuer URL
- IAM Identity Center Certificate
Application properties
Leave the Application properties section in AWS blank.
Configure Application metadata
Copy the following values from Unblocked into the Application metadata section in AWS identity center:
- Application ACS URL
- Application SAML audience
Configure attribute mappings
From the Actions menu, select Edit attribute mappings.
Then enter the following mappings:
| User attribute in Unblocked | User attribute in Identity Center | Format |
|---|---|---|
Subject | ${user.email} | emailAddress |
givenName | ${user.givenName} | basic |
familyName | ${user.familyName} | basic |
Assign Users
Assign users and groups to your AWS Identity Center application to grant them access to Unblocked.
Configure Google Workspace
Create a Google SAML App
From your Google Workspace Admin dashboard, go to Web and mobile apps. Then, from the Add app dropdown, select Add custom SAML app.
Enter App details
Enter “Unblocked” as the app name and click Continue.
Copy Google Identity Provider details into Unblocked
Copy the following three values from the SAML application into the Configure SSO form in Unblocked:
SSO URLEntity IDCertificate
Configure SAML Settings
On the Service provider details page, enter the following:
- ACS URL: provided from Unblocked
- Entity ID: provided from Unblocked
- Name ID format:
EMAIL - Name ID:
Basic Information > Primary email
Configure Attribute Mapping
Enter the following three attribute statements:
| Google Directory Attribute | Value |
|---|---|
Primary email | email |
First name | firstName |
Last name | lastName |
Click Finish
Click Finish to save your changes.
Assign Users
On the next page, assign users and groups to the Google SAML application to grant them access to Unblocked.
Configure Microsoft Entra ID
Create a Microsoft Entra ID Application
From your Microsoft Entra ID admin dashboard, navigate to the Enterprise applications tab.
Click New application, then click Create your own application to create a new application using SAML.
Enter “Unblocked” as the app name and click Create.
Configure Basic SAML Configuration
Click Set up single sign on and select SAML.
Enter the following values for the Basic SAML Configuration:
- Identifier (Entity ID): copy value from Unblocked Single Sign-On settings
- Reply URL (Assertion Consumer Service URL): copy value from Unblocked Single Sign-On settings
Leave other fields blank.
Configure Attributes & Claims
The default attribute and claim mappings are sufficient for Unblocked. It should look like this:
Set up Unblocked
From the SAML Certificate section of your Microsoft Entra ID application, download the Base64 certificate and copy the contents of the downloaded file into the Certificate field in Unblocked.
Then, copy the following two values from your new application into Unblocked:
Login URLMicrosoft Entra Identifier
Assign Users
Assign users and groups to your Microsoft Entra ID application to grant them access to Unblocked.
Configure Okta
Create an Okta Application
From your Okta admin dashboard, navigate to the Applications tab.
Click Create App Integration to create a new application using SAML 2.0.
Enter “Unblocked” as the app name and click Next.
Configure SAML Settings
Enter the following four values:
- Single sign-on URL: provided from Unblocked
- Audience URI (SP Entity ID): provided from Unblocked
- Name ID format:
EmailAddress - Application username:
Email
Configure Attribute Statements
Enter the following two attribute statements:
| Name | Name format | Value |
|---|---|---|
firstName | Basic | user.firstName |
lastName | Basic | user.lastName |
Click Next
Click Next to proceed to the next step, then click Finish to save your changes.
Copy SAML metadata into Unblocked
From the Sign On tab of your Okta application, copy the following three values from your new Okta application into the Configure Okta form in Unblocked:
Sign on URLIssuerSigning Certificate
Assign Users
Assign users and groups to your Okta application to grant them access to Unblocked.
Configure Other SAML Providers
Create a SAML Application
From your identity provider admin dashboard, create a new SAML 2.0 application.
Copy service provider metadata to your SAML app
Your SAML identity provider (IdP) requires the following metadata information to trust Unblocked as a service provider. You can copy and paste this information, or type it in the service provider configuration interface for your IdP.
- Assertion Consumer Service (ACS) URL
- Service Provider Entity ID
Ensure that the application username in your SAML app is set to the user’s email address. (This is also commonly referred to as the subject or name ID.)
Map user attributes
Enter the following two attribute statements:
| SAML App Attribute Name | Name format | Unblocked Attribute Name |
|---|---|---|
| User Given Name | Basic | firstName |
| User Family Name | Basic | lastName |
Enter identity provider metadata
Copy and paste the following metadata information from Unblocked into your SAML app:
- Identity Provider Sign-in URL
- Identity Provider Entity ID
- Identity Provider X509 Certificate
Assign Users
Assign users and groups to your new SAML application to grant them access to Unblocked.
User and Group Provisioning
Once you’ve configured SSO, you can enable user and group provisioning to automatically manage user access to Unblocked. This feature allows you to automatically create, update, and deactivate users in Unblocked based on changes in your identity provider.
Unblocked is a fully-compliant SCIM 2.0 service provider and supports user and group provisioning from any SCIM-compliant identity provider. To connect Unblocked with your identity provider:
- Navigate to the Settings section of the Unblocked web app.
- Under Team Settings, select Security.
- Locate the SCIM User and Group Provisioning section and click Configure.
- Click Add Token to generate a new API token for SCIM provisioning. Copy both the new API token and the Base URL.
- To complete the setup, follow the specific instructions relevant for your identity provider.
Microsoft Entra ID
Configure SCIM Provisioning for Microsoft Entra ID.
Okta
Configure SCIM Provisioning for Okta.
Configure Microsoft Entra ID Provisioning
Navigate to Provisioning
From your Microsoft Entra ID admin dashboard, navigate to your previously created Unblocked Application. Select the Provisioning options from the Manage menu, or you can select the Provision User Accounts tile.
Setup Provisioning
On the following page enter the following details:
- Set the Provisioning Mode to Automatic.
- Set the Tenant URL to the Base URL that you copied earlier from Unblocked.
- Set the Secret Token to the API Token that you copied earlier from Unblocked.
Click Test Connection to verify the connection, and then click Save.
On the Provisioning Overview page, click Start Provisioning to begin syncing users and groups from Microsoft Entra ID to Unblocked. This completes the setup for SCIM provisioning from Okta to Unblocked.
Configure Okta Provisioning
Enable SCIM Provisioning
From your Okta admin dashboard, navigate to your previously created Unblocked Application. On the General tab, click Edit and set the Provisioning toggle to SCIM. Then click Save.
Setup SCIM Connection
On the Provisioning tab, click Integration under settings, and then Edit.
- Set the SCIM connector base URL to the Base URL that you copied earlier from Unblocked.
- Set the Unique identifier field for users to
email. - Check the following for the Supported provisioning actions:
- Push New Users
- Push Profile Updates
- Push Groups
- Set the Authentication method to
HTTP Header. - Set the Authorization field to the API Token that you copied earlier from Unblocked.
Click Test API Credentials to verify the connection, and then click Save.
Configure Provisioning to Unblocked
On the Provisioning tab, click To App under settings, and then Edit.
- Set the following Provisioning to App toggles to Enabled:
- Create Users
- Update User Attributes
- Deactivate Users
Click Save.
Push Groups
On the Push Groups tab choose the groups you want to push to Unblocked. This completes the setup for SCIM provisioning from Okta to Unblocked.
Enforce SSO
Once SSO is configured, you can enforce its use for your team. This means all team members will be required to sign in using your SSO provider.
There are two enforcement options:
-
SSO Only: Users will be required to sign in to Unblocked using SSO. You may need to sign in with SSO before enabling this option.
-
SSO or Source Code System: Users can sign in using either SSO or their source code system (e.g., GitHub, Bitbucket, or GitLab).
Allowed Email Domains
Verifying a domain ensures that users who enter an email address from that domain on the Unblocked sign-in page are automatically directed to your SSO login. This creates a seamless login experience and routes users through the correct authentication flow.
You can add multiple domains to enable SSO login detection for users with different email addresses. To verify a domain:
Add Domain
Click Add Domain and enter the domain name you want to verify.
Verify Domain
Unblocked will prompt you to add a TXT record to your DNS settings to complete the verification.
Once the domain is verified, any user who enters an email address matching that domain on the Unblocked sign-in page will see the SSO login option for your SAML provider.
Verifying a domain only controls the visibility of the SSO login option and does not automatically grant access to your Unblocked team. Access to Unblocked is still managed through user and group assignments in your identity provider (IdP).
Download Unblocked Logo
To help your users easily recognize Unblocked in their identity provider dashboard, download the Unblocked logo for use in your SSO application.