Single Sign-On
How to connect Unblocked with your SSO provider
Centralize your team’s access to Unblocked by connecting it to your Single Sign-On (SSO) provider. Unblocked supports SSO integrations with Okta, Google Workspace, Microsoft Entra ID, and any other SAML 2.0 compliant provider.
Configure Single Sign-On
To connect Unblocked with your SSO provider:
- Navigate to the Settings section of the Unblocked web app.
- Under Team Settings, select Security.
- Locate the Single Sign-On section and click Configure.
- To complete the setup, follow the specific instructions relevant for your identity provider.
- Okta
- Google Workspace
- Microsoft Entra ID (coming soon)
- SAML 2.0 (coming soon)
Configure Okta
Create an Okta Application
From your Okta admin dashboard, navigate to the Applications tab.
Click Create App Integration to create a new application using SAML 2.0
.
Enter “Unblocked” as the app name and click Next.
Configure SAML Settings
Enter the following four values:
- Single sign-on URL: provided from Unblocked
- Audience URI (SP Entity ID): provided from Unblocked
- Name ID format:
EmailAddress
- Application username:
Email
Configure Attribute Statements
Enter the following two attribute statements:
Name | Name format | Value |
---|---|---|
firstName | Basic | user.firstName |
lastName | Basic | user.lastName |
Click Next
Click Next to proceed to the next step, then click Finish to save your changes.
Copy SAML metadata into Unblocked
From the Sign On tab of your Okta application, copy the following three values from your new Okta application into the Configure Okta form in Unblocked:
Sign on URL
Issuer
Signing Certificate
Assign Users
Assign users and groups to your Okta application to grant them access to Unblocked.
Configure Google Workspace
Create a Google SAML App
From your Google Workspace Admin dashboard, go to Web and mobile apps. Then, from the Add app dropdown, select Add custom SAML app.
Enter App details
Enter “Unblocked” as the app name and click Continue.
Copy Google Identity Provider details into Unblocked
Copy the following three values from the SAML application into the Configure SSO form in Unblocked:
SSO URL
Entity ID
Certificate
Configure SAML Settings
On the Service provider details page, enter the following:
- ACS URL: provided from Unblocked
- Entity ID: provided from Unblocked
- Name ID format:
EMAIL
- Name ID:
Basic Information > Primary email
Configure Attribute Mapping
Enter the following three attribute statements:
Google Directory Attribute | Value |
---|---|
Primary email | email |
First name | firstName |
Last name | lastName |
Click Finish
Click Finish to save your changes.
Assign Users
On the next page, assign users and groups to the Google SAML application to grant them access to Unblocked.
Enforce SSO
Once SSO is configured, you can enforce its use for your team. This means all team members will be required to sign in using your SSO provider.
There are two enforcement options:
-
SSO Only: Users will be required to sign in to Unblocked using SSO. You may need to sign in with SSO before enabling this option.
-
SSO or Source Code System: Users can sign in using either SSO or their source code system (e.g., GitHub, Bitbucket, or GitLab).
Allowed Email Domains
Verifying a domain ensures that users who enter an email address from that domain on the Unblocked sign-in page are automatically directed to your SSO login. This creates a seamless login experience and routes users through the correct authentication flow.
You can add multiple domains to enable SSO login detection for users with different email addresses. To verify a domain:
Add Domain
Click Add Domain and enter the domain name you want to verify.
Verify Domain
Unblocked will prompt you to add a TXT record to your DNS settings to complete the verification.
Once the domain is verified, any user who enters an email address matching that domain on the Unblocked sign-in page will see the SSO login option for your SAML provider.
Verifying a domain only controls the visibility of the SSO login option and does not automatically grant access to your Unblocked team. Access to Unblocked is still managed through user and group assignments in your identity provider (IdP).