How do I configure SSO?

Who can use this feature?
- Requires an Enterprise or Data Direct plan.
- Requires an admin role to configure.

There are two options for configuring single sign-on (SSO) in your Fullstory account: SAML SSO and Google Authentication. Read on to learn more.

SAML SSO

Fullstory can integrate with your company's Single Sign-On solution so that team members can log in to Fullstory using their SSO credentials. This eliminates the need for your users to have separate Fullstory credentials, and enables you to apply the same authentication policies to Fullstory as you do with your other enterprise apps.

Just-in-Time (JIT) Provisioning

Spend less time provisioning accounts and ensure only the right employees have access with Just-in-Time (JIT) provisioning for SAML. New users can be automatically provisioned when they first log in from your enterprise SAML SSO sign-in page.

Which Identity Providers are supported?

Our SSO offering supports all major Identity Providers who use the SAML 2.0 protocol. This includes Okta, Azure AD, and many others.

Which SSO flows are supported?

We support both Service Provider-initiated SSO (in which users log in via a Fullstory login page) as well as Identity Provider-Initiated SSO (in which users log in from your IdP dashboard).

Mapping users to Fullstory roles

You can also automatically assign users to Fullstory roles based on information contained within your Identity Provider (IdP) system. We provide implementation details on this optional configuration in the customizing SSO section of this article.

How do I configure SSO?

Note: If you're setting up SSO for the first time in an Umbrella account, repeat these steps for each account in your Umbrella. If you enabled SSO in an Umbrella account prior to May 2020, please contact support for help managing your configuration.

Admin users can configure SSO in Fullstory under Settings > Account Management > SSO. Click Configure SSO to get started.

Image 6-21-2022 at 12.55 PM.jpg

Enter your Connection Name. The Connection Name may be shown to unauthenticated users during the log-in process, so choose something intuitive like “Your Company Name SSO.”

Group 1 (15).png

Next, copy and paste the information provided–including the SSO URL, Audience URL/Entity ID, and Request Signing Certificate–into your IdP to generate a metadata.xml file. Then, copy and paste the contents of your IdP-generated metadata.xml file into Fullstory to complete the configuration.

Group 4 (7).png

How do I customize my SSO settings? 

After you configure SSO, customize your settings under Settings > Account Management > SSO.

Screenshot 2023-04-12 at 1.18.57 PM.png

In the Domains and Certificate section, a Fullstory admin can list their email domain. If additional email domains need to be added, a teammate with the additional domain must be invited and granted admin access to add the additional domain.

After adding email domains, if any user enters a known domain that requires SSO, the Fullstory standard login page will recognize this and redirect that user to your SSO login page.

Requiring SSO for all teammates

When SSO is initially configured, it defaults to “optional” mode. In optional mode, users can log in with a Fullstory username and password or with SSO. At any time, your Fullstory admin can toggle on “Require SSO for all teammates.” Once enabled, all users with a Standard, Admin, Architect or Umbrella Manager seat type will be required to log in with SSO and users will no longer be able to log in with their usernames and passwords.

Enabling just-in-time seat provisioning

Toggle on “Automatically create new user accounts (just-in-time seat provisioning) to enable JIT. When enabled, new users can be automatically provisioned when they first log in from your enterprise SAML SSO sign-in page.

Please note: If role mapping is not configured, new users added via just-in-time provisioning will be assigned a Standard seat type.

 

Mapping users to roles via SAML attribute

You can also automatically assign users to Fullstory roles (Admin, Architect, Standard, Guest) based on information contained within your Identity Provider (IdP) system. This is an optional configuration that allows you to remove the extra step of updating the user’s permissions via the Settings UI. Learn about Fullstory roles

When using role mapping for a given org, we suggest enabling Require SSO for all teammates. If users log in using a different authentication method, their roles will not be updated. 

Follow these steps to set up the mapping:

  1. Navigate to Settings > Account Management > SSO. From the SSO configuration panel, toggle on the option to Map users to roles via SAML attribute.
  2. Configure your identity provider to send a new attribute in the SAML response.
  3. Enter fullstoryRole as the name of your SAML attribute in your SAML provider
  4. The following values are supported:
    • guest
    • standard
    • explorer
    • admin
    • architect
  5. The Umbrella Manager role is not supported. If your company uses the Umbrella Management (“Multi-org management”) capability, assign Umbrella Manager roles to users from the Umbrella Users UI in Settings, as described here.

Here is an example of the expected SAML attribute once role mapping is configured:

<saml2:Attribute Name="fullstoryRole" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
admin
</saml2:AttributeValue>
</saml2:Attribute>

Anything else I should know?

Two quick things! First, be sure to note your certificate expiration date. You’ll need to update your certificate manually before it expires under Settings > Account Management > SSO.

Second, deleting a user from your Identity Provider does not automatically delete them from your Fullstory team. You’ll also need to manually delete them from Fullstory.

Google Authentication

The ability to authenticate with Google is available to all customers. Team administrators can choose to require all team members to log in via Google. You can learn more about Google Authentication in this article. Note that Just-in-Time provisioning is not supported for Google Authentication at this time.

FAQ

Does Fullstory support Multi-factor Authentication (MFA)?
We can support MFA capabilities configured via your SSO provider (or Google Authentication).

Need to get in touch with us?

The Fullstory Team awaits your every question.

Ask the Community Technical Support