Supported Features
Chartbeat currently supports the following features:
- Service Provider (SP) Initiated flow
Chartbeat does not support the following features:
- Identity Provider (IDP) Initiated Flow
- SAML JIT (Just In Time) Provisioning
Step 1: Set up Microsoft Azure as SAML identity provider (IDP)
- Sign in to the Azure portal.
- On the left navigation pane, select the Azure Active Directory service.
- Navigate to Enterprise Applications and then select All Applications.
- Add a new application by selecting New application.
- Select Non-gallery application.
- Set “Chartbeat” as the name of the application and click Add.
- Assign a test user to the application (required)
- Go to Configure single sign-on (required).
- Select SAML-based Sign-on in the Single Sign-on Mode.
- Enter the following values into the appropriate fields:
- Identifier: urn:auth0:chartbeat:CONNECTION_NAME
- Reply URL: https://chartbeat.auth0.com/login/callback?connection=CONNECTION_NAME
- User Identifier: user.mail
- In the User Attributes and Claims section, select the Edit icon.
- Verify that the Name Identifier Value is set to user.mail. To modify this value, select Edit. Change the name identifier format to EmailAddress and the Source attribute value to Email.
- In step 3, download the Certificate (Base64)
- In step 4, copy the Login URL and put it in a safe place so you can access it later.
- Click Finish
The CONNECTION_NAME is a unique identifier for your connection. It should only contain alphanumeric characters and hyphens and must be less than 128 characters in length.
We recommend that you include your company name as a part of the connection name to ensure that the name is unique. For example, Acme Corp may name their connection Acme-Login.
If you plan on setting up a TEST or STAGING connection first, give it the same connection name in Chartbeat as you plan to use for your live connection.
Step 2: Enable Chartbeat SAML App
- Sign in to the Azure portal.
- On the left navigation pane, select the Azure Active Directory service.
- Navigate to Enterprise Applications and then select All Applications.
- In the application list, select Chartbeat.
- In the app's overview page, find the Manage section and select Users and groups.
- Select Add user, then select Users and groups in the Add Assignment dialog.
- Type in the full name, email address, or full group name of the user/group you are interested in assigning into the Search by name or email address search box.
- Click the checkbox next to the user/group to add them to the Selected list
- Continue to select users/groups to add to the Selected list.
- When you are finished, click the Select button to add them to the list of users and groups to be assigned to the application.
- Click the Assign button to assign the application to the selected users.
Step 3: Set up Chartbeat as a SAML 2.0 service provider (SP)
Once you’ve finished configuring Microsoft Azure as your IDP, your Chartbeat organization Owner or an IAM Admin can integrate Microsoft Azure with Chartbeat.
- Sign in to Chartbeat as your organization Owner or an IAM Admin.
- Hover over your avatar in the top right corner and click Settings.
- Click Authentication on the left side menu.
- Next to SAML authentication, click Set up.
- In the Connection Name field, enter the connection name you configured in step 1.
- In the SAML 2.0 Endpoint (HTTP) field, paste the Identity Provider Single Sign-On URL you copied at the end of step 1.
- In the X.509 Certificate field, paste the entire contents of the file you downloaded in step 1. This is an X.509 Certificate that’s required for SSO setup. You might need to rename the file extension to “.txt” so you can open the file with a text editor.
- Click Save.
You can access and review the SP-metadata generated by Chartbeat for your connection by going to https://chartbeat.auth0.com/samlp/metadata?connection=CONNECTION_NAME
Step 4: Verifying that SSO is working
- Enable your connection by switching the connection from disabled to enabled.
- Go to Sign-in & Security
- Select Link Account. You should be redirected to your organization’s Azure sign-in page.
- Enter your user name and password.
After your credentials are authenticated, you should be redirected back to the Sign-in & Security page. The SSO authentication section will now say that you’re authenticated.
What happens when SSO is enabled
After you’ve enabled SSO, users on your account will be able to bind their Chartbeat account with your IDP on the Sign-in & Security page. New Chartbeat users to your organization will also have the option to sign in using SSO when they activate their account.
By default, we will not force your team members to log in with SAML SSO. To require all users in your organization log in to Chartbeat using SAML SSO, learn more about enabling enforced SSO.
Once a user sets their authentication method to SSO:
- Two-factor authentication (TFA) will be delegated to your identity service and no longer managed through Chartbeat. Please refer to your identity provider’s documentation on how to manage TFA.
- User passwords will no longer be managed through Chartbeat. If a user attempts to reset their Chartbeat password it will have no effect. Please refer your users to your internal help desk for assistance recovering their Microsoft Azure account.