Single Sign-On (SSO) with SAML 2.0 lets your users sign in to deskbird with their existing identity provider (IdP). Below you’ll find quick-start options for Okta and Keycloak, plus a full federation setup guide (SP-initiated SSO).
1. SAML using Okta
Use our dedicated Okta guide to configure an Okta SAML app, map the required attributes, and test SP-initiated SSO to deskbird. It includes screenshots, attribute statements, and troubleshooting tips.
👉 Step-by-step: Configure SAML SSO with Okta
2. SAML using Keycloak
Prefer using Keycloak? Follow the Keycloak guide to initiate SSO to deskbird.
👉 Step-by-step: Configure SAML SSO with Keycloak
3. Setup of SAML 2.0 Federation
SAML 2.0 (Security Assertion Markup Language) is an XML-based protocol to securely exchange authentication/authorization data between an identity provider (IdP) and a service provider (SP). deskbird supports SP-initiated SSO (authentication must start from deskbird).
If you want a tile in your IAM launcher (e.g., OneLogin, JumpCloud) that users can click, add a Bookmark application that launches the SP-initiated flow in deskbird:https://app.deskbird.com/saml?providerName={saml-provider-ID}
The SAML provider ID follows saml.{company-name}. Example for “Polaroid”: https://app.deskbird.com/saml?providerName=saml.polaroid.
Create a separate, hidden Federation application in your IdP for the SAML connection itself (not visible to users).
3.1 General setup
Configure your IdP with the following deskbird Service Provider details:
| Service Provider ID (Entity ID) | https://api.deskbird.app/saml/metadata |
| ACS URL (Callback) | https://app.deskbird.com/__/auth/handler |
💡 For successful SAML 2.0 authentication, set NameID to the user’s email address with format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
Example assertion snippet
<saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="<IdP Entity ID>" SPNameQualifier="https://api.deskbird.app/saml/metadata" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> email </saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> </saml2:Subject>
Send to deskbird for configuration
| IdP Entity ID | |
| IdP SSO URL | |
| IdP Certificate | Must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE----- (paste without extra characters/new lines). |
If you have an IdP metadata file, you can simply send that instead.
3.2 User attributes
Required attributes (use exact names):
| Attribute | Description |
| UPN email address used for sign-in, notifications, and booking info | |
| first_name | User’s first name (displayed in the platform) |
| last_name | User’s last name (displayed in the platform) |
Recommended attributes:
| Attribute | Description |
| avatar_url | Profile picture URL; initials are used if omitted |
| external_id | IdP user ID for matching |
| manager_id | IdP ID of the user’s line manager (used for approvals) |
| locale | User’s preferred language (defaults to company language if omitted) |
| office | User’s primary office |
| job_title | User’s job title |
| department | User’s department (used for access management) |
| company_entity | User’s legal entity (defaults to company entity if omitted) |
3.3 Metadata file
After creating the SAML application in your IdP, please send us the metadata file that includes:
- Certificate
- Entity ID
- SSO URL