SAML connections are only available to customers on elvex's Enterprise Tier. If you require SAML for your organization and we not on an Enterprise subscription, reach out to us at [email protected].
Enterprise companies that wish to use their identity provider (IdP) for enterprise SSO can do so by enabling a SAML connection for their company.
Enabling SSO/SAML
Administrators can head to Settings > SAML to configure their organization's SAML connection.
Step 1: Upload your IdP metadata XML file
Enabling SAML requires first uploading your IdP metadata XML file. How to generate this XML file is unique to the identity provider that you're using. You'll often need to create a custom SAML application and provide some information for the service provider (SP) which is elvex in this case. You can find the information you should need by expanding "How should I configure elvex as a Service Provider (SP)?"
Important: Remember to configure attribute mappings
As the screenshot above hints at, you will need to configure attribute mappings on your side in order for elvex to correctly capture information.
Also, if your identity provider (e.g. Microsoft Entra) allows you to specify a namespace for these attributes, please remove and just have the elvex attribute name.
Optional: Configure the "groups" attribute for automatic provisioning
If you want to use SAML attribute groups to automatically assign users to elvex groups or set their company roles, configure your IdP to send a "groups" attribute with user data. This attribute should contain an array of group names from your IdP.
Step 2: Configure allowed email domains
Under "elvex / Service Provider (SP)" you'll now need to provide the email domains that are permitted for your SAML connection. This setting is only relevant when users attempt to login to elvex directly via auth.elvex.ai. When they enter an email address, elvex will automatically determine if SAML is configured for this domain and will redirect the user to your IdP for authentication and then back to elvex.
Step 3: Set the default role for new users
Choose the default company role that will be assigned to new users when they're provisioned via SAML:
Member: Can use assistants and datasources, create their own resources
Creator: All Member permissions plus ability to share resources
Admin: All Creator permissions plus company management capabilities
This default role is used when a user's IdP attributes don't match any configured SAML attribute groups.
Step 4: (Optional) Configure SAML attribute groups
SAML attribute groups allow you to automatically:
Add users to elvex groups based on their IdP attributes
Assign different company roles based on their IdP attributes
Step 5: Activate the connection
Once you've completed the steps above, click "Activate SAML connection" and you'll see a notification telling you the connection is active. You'll now be able to test authentication using your IdP.
If you encounter issues, please reach out to us at [email protected]
Disabling SSO/SAML
To disable your SAML connection, simply navigate to Settings > SAML and click the "Disable SAML" button. You'll be asked to confirm before disabling the connection. You can always re-enable SAML at a later point in time.
FAQs
Do you support identity provider initiated SSO?
Yes. This is enabled by default when you enable SAML for your company within elvex.
Can users also authenticate with elvex directly?
Yes. When a user hits auth.elvex.ai, they'll first be prompted to enter in an email address. If that email matches one of the allowed domains you provided when creating the SAML connection, they will automatically be redirected to your IdP for authentication and then redirected back to elvex.
Can I disable other authentication methods (e.g. Google) in elvex after I enable SAML?
No, unfortunately this is not possible.
How does user provisioning work with elvex and SAML?
Users are auto-provisioned (sometimes referred to as just-in-time provisioning) when they first login using your identity provider.
For new users:
If their IdP attributes match configured SAML attribute groups, they receive the assigned company role and are added to associated elvex groups
If no SAML attribute groups match, they receive the default role configured in your SAML settings
For existing users:
Their company role remains unchanged
They are automatically added to or removed from groups based on their current IdP attributes and SAML attribute group configuration
Can I customize the role users are autoprovisioned with?
Yes. You can configure SAML attribute groups to assign different company roles (Member, Creator, or Admin) based on users' IdP attributes. If a user's attributes don't match any SAML attribute groups, they receive the default role configured in your SAML settings.
What happens to users that were provisioned with SAML if I disable a SAML connection?
Users who were auto-provisioned previously will remain after you disable your connection.
What happens to SAML attribute group configurations if I disable SAML?
Your SAML attribute group configurations are preserved. If you re-enable SAML later, the configurations will still be active.
Can the same SAML attribute group be used for both group assignment and company role assignment?
Yes. A single SAML attribute group can be associated with multiple elvex groups and also assigned a company role. This allows you to configure both automatic group membership and role assignment with one SAML attribute group.