Skip to content

Single Sign-On (SSO) with SAML

Atomic CRM supports SSO (Single Sign-On) authentication through SAML 2.0. This allows your users to authenticate using their existing credentials from an identity provider, such as Google Workspace, Okta, or Microsoft Azure AD.

This section explains how to set up SSO with Google Workspace as the identity provider. The steps are similar for other identity providers, but the exact UI and terminology may differ.

In Authentication > Sign in / Providers, enable SAML 2.0:

Supabase SAML

  1. Open your Google Workplace Console and go to Apps > Web and mobile apps

    Google Workplace Console Web and mobile apps

  2. Choose to add custom SAML app

    Web and mobile apps menu

  3. Fill out app details

    The information you enter here is for visibility into your Google Workspace. You can choose any values you like. Atomic CRM as a name works well for most use cases. Optionally enter a description and a logo.

    New app details screen

  4. Download IdP metadata

    This is a very important step. Click on DOWNLOAD METADATA and save the file that was downloaded. You will need to upload this file later. IdP metadata screen

  5. Add service provider details

    Fill out these service provider details on the next screen. Replace <project> with your Supabase project identifier in the URLs below.

    DetailValue
    ACS URLhttps://<project>.supabase.co/auth/v1/sso/saml/acs
    Entity IDhttps://<project>.supabase.co/auth/v1/sso/saml/metadata
    Start URLYour application URL (optional)
    Name ID formatEMAIL
    Name IDBasic Information > Primary email

    Service provider details screen

  6. Configure attribute mapping

    To properly map the identity details to the sales fields in Atomic CRM, add the following mappings:

    Google Directory attributesApp attributes
    Primary emailemail
    First namefirst_name
    Last namelast_name

    Attribute mapping screen

  7. Configure user access

    You can configure which Google Workspace user accounts will get access to Atomic CRM. This is important if you wish to limit access to your software engineering teams.

    You can configure this access by clicking on the User access card (or down-arrow). Follow the instructions on screen. App details screen

Save the following JSON in a mapping.json file:

mapping.json
{
"keys": {
"email": {
"name": "email"
},
"first_name": {
"name": "first_name"
},
"last_name": {
"name": "last_name"
}
}
}

Then, run the following command where the metadata.xml file is the file you downloaded at step 4 and mapping.json the file you created just now. Replace <your-project> with your Supabase project identifier and company.com with your company domain:

Terminal window
npx supabase sso add --type saml --project-ref <your-project> \
--metadata-file /path/to/saml/metadata.xml \
--attribute-mapping-file /path/to/mapping.json \
--domains company.com

Provide the VITE_GOOGLE_WORKPLACE_DOMAIN environment variable, for instance by adding it to your .env file:

.env
...
VITE_GOOGLE_WORKPLACE_DOMAIN=company.com

You can optionally disable email/password authentication by providing the VITE_DISABLE_EMAIL_PASSWORD_AUTHENTICATION environment variable:

.env
...
VITE_DISABLE_EMAIL_PASSWORD_AUTHENTICATION=true