Toggle navigation

Setting up a Space for Single Sign-On Authentication (SAML)

Single-Sign-On (SSO) is a secure way to let users log in to the different services that a company uses. It is a good alternative to using multiple passwords and might even be a requirement for some companies.

Balsamiq Cloud supports SSO via Security Assertion Markup Language (SAML). When the feature is turned on, users will be able to log into Balsamiq Cloud via their company's Identity Provider (IdP).

Configuring Single Sign-On

Space Owners can configure SSO from the Space Settings, as shown below.

Clicking "Configure SSO..." reveals the four configuration steps below that will help you set up Balsamiq Cloud as a SAML Service Provider.

Step 1 - Service Provider Details

The first step of the configuration provides the details you need to enter in your Identity Provider to set up Balsamiq Cloud as a SAML Service Provider. Some terminologies might differ from one IdP to another so we'll cover some of those differences in this section.

Step 2 - Identity Provider Details

Now that you have filled in the necessary details in your IdP and validated those, let's collect the resulting details needed to set up Balsamiq Cloud:

  • the SAML 2.0 Endpoint
  • the IdP Issuer
  • the Public Certificate

Step 3 - Test Configuration

All details should have been set up in the first two steps, it's time to verify your SAML configuration before we can turn it on.

Step 4 - Turn On SAML

Now that the verification has been made, the last step allows you to turn on SAML for your Space!

Advanced Configuration

As mentioned above, each IdP has a slightly different process (or wizard) with some specific terminologies.

Here is an overview of some of the most used IdPs and their specific differences to help you configure your own setup.


The terminology used in our SAML configurator's Step 1 is relatively close to Okta's own configuration tool. Below you can find the fields that need to be completed for this step.


Google also uses (almost) identical field names than our configurator. The only setup difference is that the Metadata file needed for our Step 2 can be downloaded before adding the details from our Step 1.

Windows Server ADFS

Windows Server Active Directory Federation Service (ADFS) is another popular IdP that has a few particularities during the setup process.

After starting to fill out the different fields for our Step 1, you need to manually add a mapping rule with the following settings.

Once the mapping rule has been created, let's add a transform rule.

Now that the rules have been added, the Metadata file needed for our Step 2 can be downloaded from this path: https://<Federation Service name (FQDN)>/FederationMetadata/2007-06/FederationMetadata.xml

Azure Active Directory

Azure Active Directory has a different process to follow.

When starting the configuration, make sure to "create your own application" with the non-gallery option selected.

Once you are looking at the overview, select "Set up Single Sign On" to enter the details provided in our Step 1.

The "User Attributes & Claims" step needs to be filled out with the following details:

Finally, the Metadata file needed for our Step 2 is called "Federation Metadata XML" and is available on the SAML Signing Certificate.


The configuration process of Keycloak is relatively in line with ours but the required fields are not necessarily ordered the same way.

Here is a quick look at the fields and options that need to be taken care of.

Turning Off Single Sign-On

Space Owners can turn off SSO from the Space Settings, as shown below, by clicking "Configure or Turn Off SSO..." > "Turn Off SSO..".

We hope that these examples will help you configure SSO with Balsamiq Cloud. However, don't hesitate to reach out to us via if needed. We're here to help! :)