Configure SAML single sign on

Aarthi
Aarthi
  • Updated

Security association markup language (SAML) is an XML-based, publicly available software that allows users to use one set of credentials to log in to many different applications. Single sign-on (SSO) allows an identity provider (IdP) to authenticate a user’s identity and once confirmed, it then shares their identity with other applications. SAML SSO provides a seamless experience for users when utilizing Benchling and other applications since only one set of credentials is needed to log in to many applications at once. 

When a user attempts to access a SAML SSO enforced Benchling tenant, Benchling will automatically generate an authentication request and send it to the customer’s IdP. The IdP will then prompt the user to sign in. Once the user's identity is verified against the IdP user credentials, the user is logged into the IdP. The IdP will pass information about the user to Benchling and automatically log the user into their Benchling tenant.

Using SAML SSO with Benchling benefits both scientists and IT teams alike. IT teams can manage users, control application access, and enforce password securities. Scientists also eliminate time wasted on password and application management by only needing to remember a single username and password to access all applications.

SSO can be configured to be optional or enforced for all users.

 

Key terms and definitions

  • Authentication: the process of verifying users/identities based on credentials provided at time of access.
  • Identity Provider (IdP): a system that creates, maintains, and manages identity information and performs the authentication of user identities (i.e. Okta, Azure AD, etc.). Communicates authentication and authorization data to the service provider.

  • Service Provider (SP): an application (i.e. Benchling) that wants to authenticate users through an IdP. SP uses the authentication from the IdP to grant authorization to the user’s application request.

     

Optional SAML features

The following are optional features that can be added to standard SAML configurations. Implementing these features involves configuration and testing steps to ensure support is possible.

  • Single log out (SLO) is a SAML feature where users can sign out of Benchling and all other IdP configured applications with a single action. SLO saves users time by allowing them to sign out of all applications at once and provides additional security since users don't have to remember to log out of connected apps.
  • Electronic signature (e-signature) is a SAML enabled feature that requires a user to confirm their identity using SSO anytime a user sends an entry for review, rejects, retracts, or accepts a review. E-signatures provide an additional layer of authentication throughout the Benchling entry review process.

Platform-specific configuration

In order to set up SAML-based SSO, you must first configure your IDP. Benchling supports any IDP that implements the SAML 2.0 protocol. Once you've configured your IDP, you will need to send the configuration information to Benchling, follow the anchor link to jump to that section. 

Okta

Configuring SAML on Okta requires that you add an application for each tenant, configure the application, and send Benchling your metadata URL. You can also optionally configure single logout with Okta. The sub-sections walk you through how to complete each set of steps. 

Add an Okta application for each tenant 

 

  1. From the Okta admin Applications panel, click Add Application 
  2. Search for Benchling for Enterprise in the Okta gallery
  3. In the General settings, create and specify a name for the application 
  4. Click Done 

Configure the application 

  1. In the Sign On tab, click Edit and make the following changes 
  2. Uncheck the box next to Disable Force Authentication 
  3. Under Advanced Sign-on settings, fill in the Domain using the URL of your Benchling tenant (this will look like biotechtx.benchling.com or biotechtx-validated.benchling.cloud
  4. For the Tenant name, use your tenant name (commonly the first portion of the URL, ex. biotechtx or biotechtx-validated from the example above) 

Note: Benchling support may provide you with a different value to populate this field 

By default, Okta will send the ${user.firstName} attribute, and this information will be used (along with $user.lastName}) in order to set the user’s Display name in Benchling. If you would like to use a separate profile attribute to indicate the first name, you can do so by adding a preferredFirstName attribute to your SAML application. 

See instructions from Okta for further assistance. 

 

Send Benchling your metadata URL 

  1. Look for Identity Provider metadata is available on the Sign On tab
  2. Right click Identity Provider metadata and copy the URL (this is your metadata URL, it should look something like https://YOURCOMPANY.okta.com/app/dd8safsdf123/sso/saml/metadata
  3. Send this URL to Benchling support to complete configuration 

Configure single logout 

Enabling this feature is optional. 

  1. Request the Signature Certificate from Benchling support 
  2. Once it has been provided, check the option labeled Enable Single Logout 
  3. Upload the certificate under Signature Certificate 

After completing all of the steps your organization needs, continue to the send configuration information to Benchling section. 

 

Microsoft EntraID 

Follow the setup and testing procedures in Microsoft Entra’s documentation. When adding Benchling from the gallery to your list of managed SaaS apps, create an instance of the Benchling app for each of your Benchling tenants. For example, if you have a test tenant and a production tenant, you’d need to add an instance for both domains. 

After completing all of the steps, continue to the send configuration information to Benchling section

 

Microsoft ADFS 

Benchling supports single sign-on for Active Directory users by integrating with Microsoft Active Directory Federation Services (ADFS). ADFS is a separate service provided by Microsoft that allows users to perform SAML login using the Active Directory credentials. The instructions below assume you have ADFS already set up. 

  1. Open the ADFS Management application and select the Relying Party Trusts folder 
  2. Select Actions and then select Add a new Standard Relying Party Trust to open the wizard and create a Relying Party Trust where you will make the following selections: 
    • Select Data Source: choose enter data about the relying party manually 
    • Choose Profile: choose AD FS profile (not AD FS 1.0 and 1.1 profile)
    • Configure Certificate: you do not need to specify a token encryption certificate
    • Configure URL: choose the SAML 2.0 option and set the SSO service URL to https://YOURDOMAIN.benchling.com/ext/saml/signin:finish 
    • Configure identifiers: set to https://YOURDOMAIN.benchling.com/ext/saml/metadata.xml 
    • Choose Issuance Authorization Rules
      • If you’d like all users to be able to access - choose Permit all users to access this relying party 
      • If you don’t want all users to be able to access - choose Deny all users access to this relying party 
        • Note: later you’ll need to create issuance authorization rules to enable access 
  3. At the end of the wizard, check the option to open the Edit Claim Rules dialog 
  4. Add a new rule 
    • Choose Rule Type: Send LDAP Attributes as Claims
    • Configure Claim Rule: Give the rule a name, and choose Active Directory for the attribute store 
    • Configure the following mappings
      • E-Mail-Addresses as email
      • Given Name as firstName
      • Surname as lastName 
  5. Add a second rule 
    • Choose Rule Type: Transform an Incoming Claim 
    • Configure Claim Rule and make sure Pass through all claim values is selected 
      • Incoming claim type: Email Address
      • Outgoing claim type: Name ID
      • Outgoing Name ID format: Email

Note: the instructions above identify a user based on their email. If user emails can change, you can identify based on their sAMAccountName instead. This is an identifier within Active Directory that looks like an email but is set for all users. 

To set up identifying via sAMAccountName: 

  1. Configure the first rule to also send E-Mail-Addresses as email
  2. Replace the second rule with a Rule type of Send LDAP Attributes as Claims and send sAMAccount as the Name ID instead

After completing all of the steps your organization needs, continue to the send configuration information to Benchling section.  

 

Google GSuite

Follow the “set up your own custom SAML app” instructions from the Google Suite Guide to create a custom SAML application. Screenshots for the setup steps are included below the step description.  

  1. Download the IDP metadata and email this file to Benchling support and click Next  
  2. Set the Application Name to Benchling, then click Next 
  3. Fill out the following service provider details, then click Next 
    • ACS URL: https://YOURDOMAIN.benchling.com/ext/saml/signin:finish 
    • ENTITY ID: https://YOURDOMAIN.benchling.com/ext/saml/metadata.xml
    • Signed Response: checked 
    • Name ID: Basic Information and Primary Email
    • Name ID Format: EMAIL
       
  4. Configure the firstName and lastName in Attribute Mapping, then click Finish 

The Google Suite Guide also includes instructions to Turn on your SAML app to allow users to access Benchling through your new SAML application. 

After completing all of the steps, continue to the send configuration information to Benchling section. 

 

Centrify

Follow Centrify’s instructions to add a custom SAML application

  1. Under Identity Provide Configuration and Metadata, copy the URL. This is your metadata URL that you’ll need to send to Benchling 
  2. Under Service Provider Configuration, select Manual configuration 
  3. Enter the following information, replacing “YOURDOMAIN” with your own subdomain: 
    • SP Entity ID / Issue / Audience: https://YOURDOMAIN.benchling.com/ext/saml/metadata.xml
    • Assertion Consumer Service (ACS) URL: https://YOURDOMAIN.benchling.com/ext/saml/signin:finish
    • Recipient Same as ACS URL: leave checked 
    • Sign Response or Assertion: select Response 
    • <NameID> Format: unspecified 
    • Encrypt SAML Response Assertion: leave unchecked 
    • Relay State: leave empty
    • Authentication Context Class: unspecified 
  4. On the SAML Response page, in the Attributes section add the following attributes (attribute name as attribute value): 
    • firstName as LoginUser.FirstName
    • lastName as LoginUser.LastName
    • email as LoginUser.Email

After completing all of the steps, continue to the send configuration information to Benchling section. 

 

OneLogin

  1. Go to the OneLogin applications page and click Add App 
  2. Search for SAML Test Connector (IDP) in the Find Applications section, and select SAML Test Connector (IDP) w/encrypt 
  3. Update the Display Name to Benchling and click Save 
  4. Set the following attributes, replacing “YOURDOMAIN” with your own subdomain: 
    • RelayState: leave empty 
    • Audience: https://YOURDOMAIN.benchling.com/ext/saml/metadata.xml
    • Recipient: https://YOURDOMAIN.benchling.com/ext/saml/signin:finish
    • ACS (Consumer) URL Validator: ^https:\/\/YOURDOMAIN.benchling.com\/ext\/saml\/signin:finish$
    • ACS (Consumer) URL: https://YOURDOMAIN.benchling.com/ext/saml/signin:finish
    • Single Logout URL: leave empty
  5. For each of the parameters listed below, click Add parameter, type in the field name, check Include in SAML assertion, and click Save 
    • email
    • firstName
    • lastName
  6. The actions above will add a row to the parameters table with a Value of “-No Default-” click the Value field and select the appropriate value in the dropdown (field name, value): 
    • email, Email
    • firstName, First Name
    • lastName, Last Name
  7. Click Save in the top right of the page  

After completing all of the steps, continue to the send configuration information to Benchling section. 

 

PingOne

Follow PingOne’s instructions to create a new SAML Application. You’ll need to create one for each of your Benchling tenants For example, if you have a test tenant and a production tenant, you’d need to add an application for both domains. 

You’ll need the following information from us to fill out the following fields, replace “YOURDOMAIN” with your own tenant domain: 

  • Protocol Version: choose SAML 2.0
  • Upload Metadata: the metadata from Benchling can be found at https://YOURDOMAIN.benchling.com/ext/saml/metadata.xml
  • Single Logout Endpoint: do not fill in 
  • Single Logout Response Endpoint: do not fill in 
  • Single Logout Binding Type: do not fill in 
  • Optional: Encrypt Assertion: should be enabled 
  • Modify or add any attribute mappings as necessary for the application: note the case sensitivity of the attribute names 
    • Send “firstName” set to the user’s first name
    • Send “lastName” set to the user’s last name
    • Send “email” set the user’s email 

After completing all of the steps, continue to the send configuration information to Benchling section.  

 

Other systems 

Below is the information needed to set up a SAML application. You will need the following: 

  • Your tenant subdomain
  • Your tenant name 

For example for tenants called: 

  • biotechtx.benchling.com the subdomain would be benchling.com and the tenant name would be biotechtx
  • Biotechtx-validated.benchling.cloud the subdomain would be benchling.cloud and the tenant name would be biotechtx-validated 

Your implementation manager can confirm the name of each of your tenants as part of this process. 

You will then need to configure a SAML Application for each of your Benchling tenants. For example, if you have a test tenant and a production tenant, you’d need to add an application for both domains. 

Configure the applications as follows: 

  • Single sign on URL (also known as the Assertion Consumer Service URL or ACS URL): https://<YOURDOMAIN>/ext/saml/signin:finish 
    • For example: https://biotechtx.benchling.com/ext/saml/signin:finish
  • Entity ID (also known as the audience URI): https://<YOURDOMAIN>/ext/saml/metadata.xml 
    • For example: https://biotechtx-validated.benchling.cloud/ext/saml/metadata.xml
  • NameID: this is the identifier of the user to be matched with a Benchling account. We accept either a username which will be matched to the handle on a Benchling account, or an email address. By default, Benchling’s SMAL Requests will request a NameID of format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress. If you would like to identify users in Benchling by handle, your Implementation Manager can update our requested NameID to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • Responses: should be signed if possible, otherwise assertions should be signed
  • Attribute mappings
    • firstName: user’s first name
    • lastName: user’s last name
    • email: user’s email 

After completing all of the steps, continue to the send configuration information to Benchling section. 

 

Send configuration information to Benchling

  1. Once you've configured your IDP, locate your metadata URL (some providers do not offer a URL and offer only a metadata file usually called metadata.xml)
  2. Send that URL (or file) to your Benchling customer success representative
  3. Once Benchling support has received the metadata, SAML will be turned on in "soft launch" mode (in this mode, you'll be able to verify that SAML works but users will not yet be forced to log in via SAML)

Note: You can send either a metadata URL or a metadata file downloaded from your IdP to Benchling. , Sending the metadata URL is initially preferred, but Benchling support may request the metadata file if there is some issue to troubleshoot. 

 

Verify SAML integration

Benchling support will send you instructions on how to verify that SAML is working.

 

Add all users to the access list

Once confirmed to be working, ensure that all users have access to Benchling from within your IDP.

Note: Be careful to double check this, as any user who does not have access will be locked out of Benchling once SAML is fully enabled.

 

Enforce SAML for all users

  1. Ask Benchling support to enforce SAML for all users

  2. All future sign-ons will go through your IDP instead of the normal username and password flow

     

Expired SSO certificate

If the SSO certificate expires, contact Benchling Support to update the SSO metadata link.

 

Frequently asked questions

Q: Can we use Benchling without SSO?
A: Yes. SSO is optional and can be enabled or enforced at the tenant level.

Q: What if a user hasn’t been provisioned in the IdP?
A: They will not be able to access Benchling if SSO is enforced.

Q: Does Benchling support Just-in-Time provisioning?
A:  Yes, Benchling does support Just-in-Time provisioning. By default, Benchling does not have just-in-time (JIT) provisioning enabled for new users. There is an option to enable JIT provisioning if you would rather have users added to Benchling automatically when first logging in through SSO, please reach out to Benchling Support to enable this.

Q: Can we allow some users to bypass SSO?
A: Yes, users can still log in using a local password if both SSO and username/password are enabled.

Q: What happens if the SAML certificate expires?
A: You must upload a new certificate in the Benchling admin console before expiration to avoid login disruptions.

Was this article helpful?

Have more questions? Submit a request