Single Sign-On (SSO) with SAML for Xtracta

Xtracta supports Single Sign-On using the SAML 2.0 protocol. This lets you give your users a simple and secure way to access the Xtracta app through your preferred identity provider, such as Microsoft Entra ID (Azure AD), Google Workspace, Okta, or any other provider that supports SAML.

This article explains how SSO works in Xtracta, what information we need from you, and how to set up a SAML application in Azure AD.

How SAML SSO Works in Xtracta

Once SSO is enabled for your Xtracta account or group, your users can sign in through your identity provider instead of entering a Xtracta username and password.

Key points:

  • Xtracta currently supports SAML authentication only.
  • Any SAML compliant identity provider can be used.
  • After SSO is enabled, users can log in by authenticating through your provider.
  • If a user signs in for the first time and does not already exist in Xtracta, Xtracta automatically creates a basic non admin user profile for them.
  • Your internal admin still needs to assign roles or permissions as needed.

Information Xtracta Provides

Xtracta will provide you with:

  • Reply URL (Assertion Consumer Service URL / ACS URL)

For production environments, this is:

https://global.xtracta.com/auth/user/authenticate/sso/saml/callback

You will use this URL in the SAML configuration in your identity provider.

Information You Need to Provide to Xtracta

To enable and configure SAML SSO for your account or group, please provide the following details from your SAML application:

  • Entity ID (Identifier)
  • Login URL (also called SAML Single Sign-On Service URL)
  • Base64 Certificate (SAML signing certificate)
  • Your organization short name (for example, Xtracta)

The short name is required for new user sign ups, but not needed for existing users.

Setting Up a SAML Application in Azure AD (Microsoft Entra ID)

The steps below describe how to configure SAML SSO in Microsoft Entra ID (Azure AD) to work with Xtracta.

Note: You need appropriate admin rights in Azure AD to create and configure Enterprise applications.

1. Create a New Enterprise Application

  1. Log in to the Azure portal.
  2. Go to Enterprise applications.
  3. Click New application.
  4. Select Create your own application.
  5. Enter an application name (for example, Xtracta SAML App Prod).
  6. Choose Integrate any other application you don't find in the gallery (Non-gallery).
  7. Click Create.

2. Configure SAML Single Sign-On

  1. Open the newly created application.
  2. In the left menu, select Single sign-on.
  3. Choose SAML as the single sign-on method.

3. Configure Basic SAML Settings

  1. In the Basic SAML Configuration section, click Edit.

  2. Configure the following fields:

    • Identifier (Entity ID)

      • Enter a unique string, such as saml2-xtracta-prod.
      • You can choose any value, as long as it is unique within your Azure AD tenant.
      • This value must be provided to Xtracta.

    • Reply URL (Assertion Consumer Service URL)

      • Enter the Xtracta Reply URL:
        https://global.xtracta.com/auth/user/authenticate/sso/saml/callback

  3. Click Save.

4. Collect SAML Details for Xtracta

Next, you need to gather the values that Xtracta requires:

  1. In the SAML Certificates section:

    • Download the Certificate (Base64) file.
      This is the signing certificate you must send to Xtracta.

  2. In the Set up section:

    • Copy the Login URL.

You should now have:

  • Identifier (Entity ID)
  • Login URL
  • Base64 Certificate

Send these, along with your organization's short name, to Xtracta support so we can finish the configuration on our side.

5. Testing the Connection

You may see a Test option in the Azure AD wizard. We recommend waiting to test until Xtracta has confirmed that the SSO configuration is complete on our side. Once we confirm the setup:

  1. Access the Xtracta App Login page and select the 'SSO Sign In' option.
  2. Sign in with a user from your organization.
  3. Verify that:
    • Existing users can access Xtracta as expected.
    • New users are created as non-admin users and can sign in, but do not have access to any groups or documents until roles and permissions are assigned by an admin in Xtracta.

User Creation and Permissions

When SSO is enabled:

  • Existing Xtracta users
    If their email address in Xtracta matches the email address in your identity provider, they will simply be able to log in using SSO.

  • New users
    If a user does not exist in Xtracta yet, we will automatically create a new user record after a successful SSO login.
    New users:

    • Are created as non admin (member) users.
    • Do not have access to any accounts, groups, or documents by default.

Your Xtracta admin must:

  1. Assign the appropriate role (for example, admin, or member).
  2. Grant access to the relevant groups, workflows, databases etc.

Using Other Identity Providers

Although this article focuses on Azure AD, Xtracta can be integrated with any identity provider that supports SAML 2.0, such as:

  • Google Workspace
  • Okta
  • OneLogin
  • Other SAML compliant IdPs

The values you need to configure are conceptually the same:

  • Set Xtracta's Reply URL as the Assertion Consumer Service URL.
  • Generate an Entity ID in your IdP.
  • Provide Xtracta with:
    • Entity ID
    • Login URL
    • Base64 certificate
    • Organization short name

If you are using a different provider and would like provider specific guidance, contact Xtracta support.