SAML 2.0

Single sign-on is supported via SAML 2.0 integration with your Identity Provider. We have customers using this in conjunction with Auth0, Okta, Keycloak, PingFederate, and Microsoft Azure Active Directory. Please note this requires the authentication add-on.

Configuration

To configure SAML integration, download the on-premises installation and follow these steps:

  1. Add structurizr.authentication=saml to your structurizr.properties file.
  2. The structurizr.url property in the structurizr.properties file should be set to the URL where Structurizr is installed (e.g. http://localhost:8080) - see Configuration for more details.
  3. Register the Structurizr on-premises application with your Identity Provider. When doing this, you will need a "Reply URL", which is of the form {structurizr.url}/saml/SSO (e.g. http://localhost:8080/saml/SSO).
  4. Add a structurizr.saml.entityId property to your structurizr.properties file, set to the SAML Entity ID that you are using to identify the Structurizr on-premises installation (configured with your Identity Provider when setting up the application/client in the previous step).
  5. A copy of your Identity Provider's SAML metadata (XML format) should be saved to a file called saml-idp-metadata.xml in your Structurizr data directory.
  6. Map the IdP username to a SAML attribute named http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  7. Map the IdP roles/groups to a SAML attribute named http://schemas.xmlsoap.org/claims/Group

If you make any changes to the SAML configuration, you will need to restart the on-premises installation.

Guides

Here are some guides that show how to integrate with different identity providers.