Authentication

The Authentication page allows you to control which domains are trusted, as well as to enable, disable, and configure authentication methods like Email, SAML, GitHub, and Google.

To manage the authentication settings for your tenant, select your profile picture at the top right of the Pipes console, and select Tenant Settings. This option will only be visible in a custom tenant for which you are a tenant owner.

Trusted Login Domains

Trusted domains allow you to specify a list of email domains that users can be invited or log in from. The restrictions are applied regardless of the authentication method used.

By default, this is set to an empty list, which means there are no domain restrictions in place. If you wish to restrict access to a specific domain(s), you can add that domain to the list.

Enter the domain(s) you wish to add and click Save.

Authentication Methods

You can enable multiple methods of authentication for your tenant - users logging in across multiple methods will be treated as the same user in Pipes if their logins resolve to a user with the same email address.

The methods available for authentication are:

To enable or disable an authentication method, toggle the radio button for that method.

SAML

SAML, which stands for Security Assertion Markup Language, is an XML-based open standard for exchanging authentication and authorization data between parties. The primary use case for SAML is in single sign-on (SSO) scenarios, where a user can log in once and gain access to multiple systems or applications without the need to log in again for each one. The SAML standard is widely used in enterprise environments and web-based applications to enable secure and seamless single sign-on experiences.

If you wish to enable SSO via SAML for your tenant, please follow the steps below:

• Navigate to SAML from the Authentication methods section.
• In your Identity Provider (IdP), create a new SAML 2.0 application for Pipes. The details you will need are:
  • Service Provider ACS URL: Pre-populated for you in the Pipes console. Click to copy it.
  • Service Provider Entity ID: Pre-populated for you in the Pipes console. Click to copy it
  • Name ID Format: EmailAddress
  • Attribute Mappings: Map the following attributes to the corresponding user attributes in your IdP:
    • email: the email address of the user
    • firstName: the given / first name of the user
    • lastName: the family / surname of the user
    • login: optional unique user login identifier
• Once you have created the application, you will need to gather and enter the following information from your IdP:
  • Identity Provider Issuer ID: e.g. https://okta.com/eyldobv30u6ndacE15e7
  • Identity Provider SSO URL: e.g. https://dev-1234567.okta.com/app/dev-1234567_turbotpipes/eyldobv30u6ndacE15e7/sso/saml
  • Identity Provider Public Signing Certificate: Download the X.509 PEM-format certification from your IdP

Once you have entered the required information from the SAML IdP configuration, click Save. You can then enable the SAML authentication method by toggling the radio button.

GitHub

You can enable GitHub authentication by toggling the radio button. When Github authentication is enabled, any user that has been authenticated by GitHub whose primary email address is from a trusted login domain will be able to log in to your tenant - they do not need to be invited. A user will be created the first time they log in to Pipes, and they will be assigned the Member role in the tenant.

Please note the user's primary GitHub email address is presented and therefore used when evaluating trusted login domain restrictions.

Google

You can enable Google authentication by toggling the radio button. When Google authentication is enabled, any user that has been authenticated by Google whose email address is from a trusted login domain will be able to log in to your tenant - they do not need to be invited. A user will be created the first time they log in to Pipes, and they will be assigned the Member role in the tenant.