SSO with SAML

You can configure Opal to authenticate users via SAML SSO by setting up a SAML provider. We currently have documentation for how to set up 2 types of SAML providers, though other SAML providers should also work:

• Okta SAML SSO
• Google SAML SSO

Restrict logins to SAML only

By default, when you set up SAML SSO in Opal, Opal allows users to log in using either SAML SSO or Opal's traditional sign-in options (e.g. Google, Microsoft 365).

You can alternatively require that users must login to Opal via SAML. To do this:

1. Go to Settings -> Authentication -> SAML SSO Settings.
2. Set up a SAML connection using . (Okta SAML Setup, Google SAML Setup)
3. Toggle Restrict logins to SAML only to ON

SAML breakglass users

Even you've restricted your organization to login via SAML, it can still be useful to allow a subset of users to login via other methods. In Opal, we call these "SAML breakglass users." To edit this list, please ensure that Restrict logins to SAML only is turned ON. Then:

1. Edit the list of SAML breakglass users by clicking the users button.
2. Use the UI to add or remove users to the list. All users on this list will be able to login to Opal via both SAML and non-SAML methods.