TABLE OF CONTENTS
Available on Basic, Business plans
Admin privileges required
1. OneLogin Setup for Stack Overflow for Teams
In OneLogin, add a new SAML 2.0 Application. In this example, we used a SAML Custom Connector (Advance) application.
Once the application is created, go to the Configuration tab.
The following can be used to fill in on this page.
- RelayState: This can remain empty.
- Audience (EntityID) is something you can make up. The URI doesn't need to exist, but will be used as the Audience Restriction URL you must add on the SO Admin Authentication settings. It is recommended to use the Assertion Consumer Service URL of your Team, which can be found on https://stackoverflow.com/c/[your_site]/admin/access/authentication
- ACS (Consumer) URL & ACS (Consumer) URL Validator: This is the Assertion Consumer Service URL of your Team, which can be found on https://stackoverflow.com/c/[your_site]/admin/access/authentication
You can leave the remaining as default.
Now go to the Parameters tab.
You must have at least one parameter for the user display name, email, and NameID attributes. All must be included in the SAML assertions, so when adding the custom parameters, make sure you check the Include in SAML assertion checkbox.
2. Configure Stack Overflow Authentication Settings
In a new browser, open your Stack Overflow Authentication settings on Stack Overflow. Make sure Single sign-on (SSO) is selected.
On OneLogin click the SSO tab
You'll need to copy over to Stack Overflow the following fields according to what you got on OneLogin:
- Single Sign-On Service Url: that's the SAML 2.0 Endpoint on OneLogin
- Single Sign-On Service Protocol Binding: do not change, leave as POST
- Issuer: that's the Issuer URL on OneLogin
- Audience Restriction: This is the Audience URL you set on the OneLogin Configuration tab
- Display Name Assertion: This is the SAML Test Connector (IdP) Field, on the Parameters tab, for the user display name. In our example, that was the "Name" parameter.
- Email Address Assertion: should match the SAML Test Connector (IdP) Field, on the Parameters tab, for the user email In our example, that was the "Email" parameter.
- Leave all checkboxes unchecked
- Identity Provider Certificates: copy and paste the certificate for your OneLogin setup. This can be found by clicking on View Details for the certificate generated by OneLogin in the screenshot above.
3. Test Configure Authentication Settings for your Stack Overflow Team
Validate your certificate by pressing Validate certificate (you should get a green box with a success message).
Now press Authenticate and enable. You should all be good to go to https://stackoverflow.com/c/[your_site] with your SSO.
If any issue arises you can use Debug SAML auth settings and View SAML request to find out where the issue might be occurring.