Step 1: Configure your identity provider (IDP)
- Set the login URL to the following:
- https://<Companydomain>.invivo.benchling.com/api/login/sso/saml2/callback
- The company domain will be in the format:
- <yourcompanyname><test/dev>
- e.g https://ExampleCompany.invivo.benchling.com/api/login/sso/saml2/callback
- https://ExampleCompanytest.invivo.benchling.com/api/login/sso/saml2/callback
- <yourcompanyname><test/dev>
- The company domain will be in the format:
- https://<Companydomain>.invivo.benchling.com/api/login/sso/saml2/callback
- Set the logout URL to the following
- https://<Companydomain>.invivo.benchling.com/api/logout
-
Please include the following attributes mapping (assertions):
-
firstName
: user's first name -
lastName
: user's last name -
email
: user's email
-
Step 2: Send configuration information to Benchling
Once you've configured your IDP, you should have a metadata URL (some providers do not offer a URL and offer only a metadata file usually called metadata.xml). Please send that URL (or file) over to Benchling along with the Audience and Issuer for this application.
Once Benchling support has received the metadata, we'll turn on SAML in "soft launch" mode. In this mode, we'll be able to verify that SAML works but users will not yet be forced to log in via SAML.
Step 3: Verify SAML integration
Options to test SAML:
Option 1: The users assigned to this application should now see "Benchling In Vivo" in the IDP, click on the application to test login.
Option 2: Navigate to the following URL: https://<Companydomain>.invivo.benchling.com/api/login/sso/saml2
Option 3 navigate to the the tenant URL to login: https://<Companydomain>.invivo.benchling.com/login. Click Login with SSO below the login fields.
Step 4: Add all users to the access list
Once confirmed to be working, ensure that all users have access to Benchling from within your IDP. Be careful to double check this, as any user who does not have access will be locked out of Benchling once SAML is fully enabled.
Step 5: Enforce SAML for all users
Finally, ask Benchling support to enforce SAML for all users. All future sign-ons will go through your IDP instead of the normal username and password flow.
Expired SSO certificate
If the SSO certificate expires, contact Benchling Support to update the SSO metadata link.