Single sign-on (SSO) allows you to give your team members one account for all of the systems your business uses. If you have a LabLog Enterprise account and have SSO set up for your business, you can require users to log in to LabLog using their SSO credentials.


Please note: This setup process should be done by an IT administrator with experience creating applications in your identity provider account. Enterprise subscription is required to enable the SSO feature.


LabLog SSO is compatible with Shibboleth 2/SAML 2.0 and it requires minimal InCommon/SAML 2.0 compatible attributes for authenticated users. See below for more details.

Initial setup

  • Log in to your identity provider account.
  • Navigate to your applications.
  • Create a new application for LabLog Service Provider (SP). Paste the following SP values into your identity provider account where required:

       Entity ID: https://labnotebook.app
       Authorization callback URL:
       [email [email protected] to request this value]

       SAML 2.0 metadata file is also available upon request.

  • If prompted, set the username format/name ID to Email.
  • Copy the identifier or issuer URL (Entity ID), the single-sign on URL (SSO URL), and the X.509 certificate from your identity provider, and send them to [email protected]. Alternatively, you can send us a copy of the identity provider (Idp) metadata file.

To authorize users in your organization LabLog SP requires the following InCommon/SAML 2.0 compatible attributes for users authenticating with your IdP:

 <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
 <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="eduPersonScopedAffiliation"/>

<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eduPersonPrincipalName"/>

More details about these attributes can be found here.

We'll email you when the SSO feature is activated for your organization. Or, you can click on verify and activate to enable SSO authentication.


The navigation instructions and field names above may differ across identity providers. You can find more specific instructions for setting up applications in commonly used identity providers below.

Google G Suite

Check out Google's instructions on how you can set up LabLog single sign-on with G-Suite as your identity provider.

In the service provider details panel enter the following information:

Please provide service provider details to configure SSO for LabLog. The ACS url and Entity ID are mandatory. 

ACS URL:  [email [email protected] to request this value]

Entity ID: https://labnotebook.app

Start URL: https://labnotebook.app/login/sso

Signed Response: Leave unchecked

Name ID: Basic Information - Primary Email

Name ID Format: EMAIL


Set up the following attribute mappings:

urn:oid:0.9.2342.19200300.100.1.3 - Basic Information - Primary Email
urn:oid:2.16.840.1.113730.3.1.241 - Basic Information - First Name

Click on Manage Certificates, then download and email the IDP metadata file. We will use this information to register your organization's G Suite IdP with LabLog service provider. We will email you when the SSO feature is activated for your organization.

FAQs

Which binding does LabLog use as a SAML service provider?

LabLog uses HTTP Post.


Which username format should I set in my SAML application?

LabLog users are identified by email address. Ensure that your IDP is sending a nameID in email format that corresponds with their LabLog user’s email address.


Which signing algorithm does LabLog support?

LabLog supports SHA-256 as signing algorithms.


Which format should I provide my x509 certificate in?

LabLog requires a PEM format x509 certificate. You should send us the text contents of the PEM file. The value may include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

Did this answer your question?