Connect Identity Provider
If this is your first time connecting an IDP, enter the IDP setup walkthrough via the banner at the top of the page.
When you connect Opal to your identity provider (IDP), we will create users for your employees and sync helpful information about them.
- Opal will automatically import your organization's user list
- Opal can import user information such as manager and title, along with any custom attributes you specify
- Opal can revoke user access when accounts are terminated in the IDP
Please note that Opal does NOT currently automatically create Opal users for every individual in your IDP. Opal users are only created when they're also part of an imported app.
Identity Providers
Opal currently supports 3 IDPs. See these links for more information:
SAML
You can configure Opal to authenticate users via SAML SSO by setting up a SAML provider. We currently have documentation for how to set up 2 types of SAML providers, though other SAML providers should also work:
Restrict logins to SAML only
By default, when you set up SAML SSO in Opal, Opal allows users to log in using either SAML SSO or Opal's traditional sign-in options (e.g. Google, Microsoft 365).
You can alternatively require that users must login to Opal via SAML. To do this:
- Go to Settings -> Authentication -> SAML SSO Settings.
- Set up a SAML connection using . (Okta SAML Setup, Google SAML Setup)
- Toggle Restrict logins to SAML only to ON
SAML breakglass users
Even you've restricted your organization to login via SAML, it can still be useful to allow a subset of users to login via other methods. In Opal, we call these "SAML breakglass users." To edit this list, please ensure that Restrict logins to SAML only is turned ON. Then:
- Edit the list of SAML breakglass users by clicking the highlighted button in the image below.
- Use the UI to add or remove users to the list. All users on this list will be able to login to Opal via both SAML and non-SAML methods.
Updated 10 months ago