SSO and SAML

Seal supports SAML single sign-on through an embedded authentication portal. Tenant Admins configure their identity provider (IdP) by opening the portal from Seal's Settings; the actual SAML metadata exchange happens there.

Opening the configuration screen

1. Sign in to Seal as a user with the Admin role.

2. In Settings, open the Admin portal page. The page explains that Seal uses the Frontegg platform for authentication and provides an Admin portal button.

3. Click the Admin portal button. A pop-up window opens to the Frontegg configuration screen, where you set up SAML, multi-factor authentication, and other authentication features for your tenant.

Configuring SAML

Inside the configuration screen, set up your IdP using the standard SAML steps:

• Provide the IdP metadata URL or upload an XML metadata file.

• Map SAML attributes (email, display name, and any role attribute you want Seal to consume).

• Set the application's ACS URL and entity ID in your IdP, using the values shown in the screen.

Field-level help and per-IdP guidance live inside the configuration screen rather than in these docs.

Auto-provisioning

Once SAML is configured for your tenant, any user at your organization can sign in directly through your IdP. The first time a user signs in, Seal auto-provisions an account in your tenant. They do not need a separate email invite.

The role auto-provisioned users receive depends on your IdP attribute mapping. Configure attribute mappings in the authentication portal to assign roles automatically; otherwise, an Admin will need to update each new user's role from Settings > Roles and Permissions after their first sign-in.

Related

• Inviting and managing users: when SAML is not configured, this is how you add users.

• User roles: what each role can do, including roles assigned through SAML attribute mapping.

• Sign up and sign in: the user-side sign-in experience, including SSO.