Balsamiq Cloud documentation
- Introduction to Balsamiq Cloud
- Account management
- Managing Spaces
- Managing projects
- People and permissions
- Editor overview
- Adding and arranging UI controls
- Editing controls
- Sharing and reviewing
- Collaborative editing
- Using images and icons
- Symbols
- Markup
- Linking wireframes together
- Full Screen Presentation Mode
- Alternates
- Exporting
- Importing
- Keeping projects clean and organized
- Keyboard shortcuts
- The BMPR file format
- Troubleshooting scrollbars on ChromeOS
- Converting BMML files to BMPR
- Setting up a space for Single Sign-On authentication (SAML)
- Configuring Single Sign-On
- Advanced configuration
- Turning off Single Sign-On
Setting up a space for Single Sign-On authentication (SAML)
Note: This feature is only available for Enterprise users.
Single-Sign-On (SSO) is a secure way to let users log in to the different services that a company uses. It is a good alternative to using multiple passwords and might even be a requirement for some companies.
Balsamiq Cloud supports SSO via Security Assertion Markup Language (SAML). When the feature is turned on, users will be able to log into Balsamiq Cloud via their company's Identity Provider (IdP).
Please note that all users will be considered Staff Members, so the People page won't have a “Staff” checkbox.
Configuring Single Sign-On
Note: the following steps require an existing Identity Provider account with an email, first name and last name.
Space Owners can configure SSO from the Space Settings, as shown below.
Clicking "Configure SSO..." reveals the four configuration steps below that will help you set up Balsamiq Cloud as a SAML Service Provider.
Step 1 - Service provider details
The first step of the configuration provides the details you need to enter in your Identity Provider to set up Balsamiq Cloud as a SAML Service Provider. Some terminologies might differ from one IdP to another so we'll cover some of those differences in this section.
Step 2 - Identity provider details
Now that you have filled in the necessary details in your IdP and validated those, let's collect the resulting details needed to set up Balsamiq Cloud:
- the SAML 2.0 Endpoint
- the IdP Issuer
- the Public Certificate
Note: If you have an IdP Metadata file and upload it, the fields will be automatically populated.
Step 3 - Test configuration
All details should have been set up in the first two steps, it's time to verify your SAML configuration before we can turn it on.
Step 4 - Turn on SAML
Now that the verification has been made, the last step allows you to turn on SAML for your Space!
Advanced configuration
As mentioned above, each IdP has a slightly different process (or wizard) with some specific terminologies.
Here is an overview of some of the most used IdPs and their specific differences to help you configure your own setup.
Okta
The terminology used in our SAML configurator's Step 1 is relatively close to Okta's own configuration tool. Below you can find the fields that need to be completed for this step.
Google also uses (almost) identical field names than our configurator. The only setup difference is that the Metadata file needed for our Step 2 can be downloaded before adding the details from our Step 1.
Note: Make sure to leave the “Signed Response” checkbox unchecked in this step.
Windows Server ADFS
Windows Server Active Directory Federation Service (ADFS) is another popular IdP that has a few particularities during the setup process.
After starting to fill out the different fields for our Step 1, you need to manually add a mapping rule with the following settings.
Once the mapping rule has been created, let's add a transform rule.
Now that the rules have been added, the Metadata file needed for our Step 2 can be downloaded from this path: https://<Federation Service name (FQDN)>/FederationMetadata/2007-06/FederationMetadata.xml
Entra ID (formerly Azure Active Directory)
Microsoft Entra ID/Azure Active Directory has a different process to follow.
When starting the configuration, make sure to "create your own application" with the non-gallery option selected.
Once you are looking at the overview, select "Set up Single Sign On" to enter the details provided in our Step 1.
Note: The Entity ID comes before the ACS URL in their configuration tool. The "Relay State" field can be filled out with our Start URL.
The "User Attributes & Claims" step needs to be filled out with the following details:
Finally, the Metadata file needed for our Step 2 is called "Federation Metadata XML" and is available on the SAML Signing Certificate.
Keycloak
The configuration process of Keycloak is relatively in line with ours but the required fields are not necessarily ordered the same way.
Here is a quick look at the fields and options that need to be taken care of.
Turning off Single Sign-On
Space Owners can turn off SSO from the Space Settings, by clicking "Configure or Turn Off SSO..." > "Turn Off SSO..".
We hope that these examples will help you configure SSO with Balsamiq Cloud. However, don't hesitate to reach out to us via support@balsamiq.com if needed. We're here to help! :)