Overview

Supernova uses Security Assertion Markup Language (SAML), which is an open standard used for securely exchanging data. Single sign-on (SSO) utilizes this standard for securely logging into applications.

With SSO, your team members will log in to the workspace with the specific identity provider used by your organization. Supernova acts as the service provider, and never stores or manages any credentials.

What you'll need

The process for configuring SSO depends on your specific identity provider. Contact us to enable SSO in your Company workspace and note the following information we will request from you.

The information you'll need to provide is:

a workspace URL

a verified email domain

an identity provider configuration — depending on your specific identity provider, you will need to provide a configuration method either in the format of:

metadata.xml that contains all of the information described above, OR

Sign in URL, the X509 signing certificate, and an optional sign out URL

Note that NameID property must contain a user email, otherwise Supernova won't be able to create a valid user profile

You will need some information from us to begin configuring SSO on your identity provider side. We will provide you with:

an Assertion Consumer Service (ACS) URL

an Entity ID

Auto-invite from SSO

With this feature you can activate certain domains for auto-inviting new users from SSO. This means that if the new user logs in with the given SSO provider for the first time, they are automatically invited to your Workspace as well.

When enabled, anyone that signs in with SSO to your workspace will be auto-invited to the workspace as a viewer.

Authentication method

You can choose which authentication methods can be used to access your Supernova workspace and documentation.

SSO only: Users can only sign in via your SSO provider. Users will need to be covered by your SSO provider to be able to access Supernova.

SSO and invitation: Users can sign in via your SSO provider (if covered), or you can invite them to sign in to your workspace and documentation via email.

Auto-invite from SSO

When enabled, anyone that signs in with SSO to your workspace will be auto-invited to the workspace as a viewer.

How to set it up

Once your SSO integration is successfully enabled, you can then configure the auto-invite from the same settings by enabling the domains which users should be auto-invited from.

For providers with multiple domains, you can selectively say which domains should allow auto-invite, and which ones should require adding people manually.

New users will be auto-invited with the Viewer role, and can then be upgraded to an editor seat.

Allow users to log in to documentation using SSO only

You can choose to only allow users covered by your chosen SSO method to log in to your published documentation site.

When enabled, users will be shown the SSO sign in screen when accessing the site.

To enable:

SSO must first be configured.

In Settings/Workspace/SSO toggle Allow access to documentation website for SSO users only on.

If enabled, previously invited viewers that are not covered by SSO won’t be able to access the documentation website.

Revoking SSO access

Revoking a user's access when SSO is enabled is possible. The method differs depending on which authentication method you're using.

SSO only: You need to revoke access for the user on the SSO provider's side. They will still be listed as a team member in Supernova after this is done (you can remove them if you'd like) but they won't be able to sign in to your workspace or documentation.

SSO and invitation: You need to revoke access for the user on the SSO provider's side, and remove them from your Supernova team in your workspace. You can find out more about removing team members in Team management.