Whimsical supports Single Sign-on (SSO) based on the SAML spec, and it's included at no additional charge for all Team Workspaces.
We've tried to make the SAML SSO setup as simple as possible, and the SAML setup screen shows all the variables you will need to make SAML work for your workspace.
However, the naming of some SAML attributes varies depending on the Identity Provider (IdP), which is why this page is needed 🙂
There are some attributes that are the same for all IdP's:
- Entity ID: https://whimsical.com
- Name ID Format: EmailAddress
- Username/Name ID: Email
Whimsical uses the e-mail address of the SAML user to identify them on Whimsical. This will come up with configuration options like "Name ID Format" or "Name ID". When in doubt, try to choose the option that will return the e-mail of the user.
Important note before we proceed:
Whimsical supports JIT (Just-in-time) account provisioning. That means that Whimsical will create an account for a user authenticating via SAML if neccessary.
All accounts created via SAML JIT process start out as editors, which may result in unexpected charges if a lot of new users sign up via SAML. Please bear this in mind when setting up SAML.
Examples of how to set up some specific SAML SSO providers:
You can find Whimsical in Okta's Application Network, and see a setup walkthrough here.
Azure Active Directory
We're working on being listed in the Azure Active Directory Marketplace, but in the meantime here are a couple of gotchas for setting up AAD SAML authentication with Whimsical:
- The EntityID and User Identifier format is still the same as before, and listed at the top of this page
- The Reply URL (ACS URL) can be found in your Workspace Settings
- The User Attributes have to be WITHOUT Namespace, and the capitalisation is important
Example of a complete, working SAML setup:
Listing of all claims/attributes
Example on how to remove the Namespace URI for a claim
If you already have a Whimsical account created before enabling SAML for a Workspace, you can continue using it with both means of authentification:
- Log into your existing account, using the existing login method
- Then log in using your SAML SSO provider
- The e-mail address returned by the SAML IdP should now be added to your existing account, and you should be able to login with both authentification methods.
Note: A Workspace admin may choose to enforce SAML-only authentification method for a Workspace, which means that a user will still be able to log into their account using other login methods, but will require using SAML SSO before accessing the particular Team Workspace with the SAML enforced.