StackBlitz is excited to offer SAML-based Single Sign on (SSO) to organizations using Active Directory Federation Service (ADFS). To enable this you need to be logged in as an admin within StackBlitz. If you are also an admin for ADFS and have the ability to create Relying Party Trusts, we can get started! If not, you will need to coordinate with whoever manages your organization's ADFS.
- Depending on your version of Windows and ADFS, these instructions may differ slightly from your experience
- Each user account must have a unique email address. Use a service account email address (like IT@yourcompany.com) to ensure that the admin account doesn't cause email collisions for SSO users. After SAML is enabled, all non-admin members in StackBlitz must log in with SAML. The super admin user can still log in with a password as needed.
- Only StackBlitz Admins have the superpowers to enable SAML for the organization.
- StackBlitz offers just in time provisioning. This means that if a user logs into StackBlitz for the first time using SSO, an account will automatically be created.
Begin by logging into your StackBlitz admin account and then click on "Setup Authentication". This will take you to the "Auth Settings" page:
This page can also be accessed directly at
https://editor.<Your StackBlitz Domain>/admin/auth_settings.
Please take note of the "Assertion Customer Service URL" as it will be used in the next part of the installation
Begin by logging into your ADFS host and opening the ADFS Management tool. Choose "Relying Party Trusts" from the left-hand navigation, then "Add Relying Party Trust..." from the right-hand navigation.
Leave "claims aware" selected and press "Start" to begin configuration. On the following screen, select "Enter data on the relying party manually" then press "Next" to continue.
Now, enter a display name for the relying party trust. This is an arbitrary value that is only used to identify the trust entry in the ADFS Management console. We recommend setting it to the url of your stackblitz isntallation. Once you've chosen a display name, click "Next." On the next screen, leave the encryption settings the same and click "Next" again.
Next, enable "Enable support for the SAML 2.0 WebSSO protocol" and enter the "Assertion Customer Service URL" value you noted earlier from the Stackblitz Auth Settings page into the "Relying party SAML 2.0 SSO service URL" field. Click "Next" once you're ready.
On the "Configure Identifiers" screen, you will need to add a "Relying party trust identifier." You may enter an arbitrary value, but we reccommend using your stackblitz url. Keep a note of the value you enter here because you will need to repeat it exactly in a future step. Click "Add" to save the identifier and click "Next"
On the "Choose Access Control Policy" screen, choose "Permit Everyone" and press "Next."
On the "Ready to Add Trust" screen, review your selections and press "Next" to complete the wizard. On the following screen, enable "Configure claims issuance policy for this application" and press "Close." The "Edit Claim Issuance Policy..." window should appear.
On this screen you will add two(2) rules: Stackblitz Attributes and Name ID. Click "Add Rule" to begin the rule wizard. Create the following rules:
Claim rule template: Send LDAP Attribures as Claims
Claim rule template: Transform an Incoming Claim
Once you've added both rules, click "OK" to close the Rules editor.
Now you need to get the thumbprint of your ADFS Certificate. Select "Service" > "Certificates" from the left-hand navigation. Right-click the certificate listed under "Token-signing" and click "View Certificates..." Select the "Details" tab in the certificate window. Scroll down to "Thumbprint" and select it. Make a note of this value to use in the next step.
Now, return to the Auth Settings page in the Stackblitz Admin Dashboard, and enter the following values and click "Save Auth Settings" below once complete:
Issuer (Service Provider Entity ID): "Relying party trust identifier" value from earlier
IDP SSO Target URL: Your ADFS endpoint (ex: https://your.adfs.domain/adfs/ls)
Certificate Fingerprint: Thumbprint value from the previous step
Unable to log in after following these steps? Verify the following information:
- Make sure you've put a check the "enabled" box on the auth setting page
- Verify that your claim rules match the screenshots above exactly
- Make sure the super admin account user's email doesn't collide with an ADFS user's email