Configure SAML SSO in Opik: Step-by-Step Guide

SAML (Security Assertion Markup Language) SSO allows your users to authenticate using your organization’s identity provider (IdP). This guide walks you through configuring SAML SSO for your Opik organization.

SAML SSO is available on Enterprise plans. This feature is not available in open-source deployments. Reach out if you want to enable this feature for your Opik deployment.

Prerequisites

Before you begin, ensure you have:

Organization admin access to Opik
Admin access to your identity provider (Okta, Azure AD, OneLogin, etc.)
Enterprise plan enabled for your organization
Email domain you want to use for SSO (e.g., company.com)

Configuration overview

Setting up SAML SSO involves two main steps:

Configure your IdP: Add Opik as a SAML application in your identity provider.
Configure Opik: Enter your IdP’s SAML settings in Opik’s admin dashboard.

Step 1: Gather Opik’s SAML settings

Before configuring your IdP, you’ll need Opik’s Service Provider (SP) settings.

Navigate to Admin Dashboard > SSO Configuration to view:

Setting	Value
SP Entity ID	`https://www.comet.com/opik/saml/metadata/<organization-id>`
ACS URL	`https://www.comet.com/opik/saml/acs/<organization-id>`

The exact URLs will be displayed in your SSO configuration page. Copy them directly from there to avoid typos.

Step 2: Configure your identity provider

Add Opik as a new SAML application in your IdP. The specific steps vary by provider, but you’ll generally need to:

Create a new SAML application.
Enter Opik’s SP Entity ID and ACS URL.
Configure attribute mappings (see below).
Download or copy the IdP metadata (Entity ID, SSO URL, certificate).

Required attribute mappings

Your IdP must send the following attributes in the SAML assertion:

Attribute name	Description	Required
`guid`	Unique identifier for the user	Yes
`email`	User’s email address	Yes
`firstName`	User’s first name	Recommended
`lastName`	User’s last name	Recommended

Workspace sync attributes (optional)

If you want to automatically assign users to workspaces based on IdP attributes:

Attribute name	Description
`workspaces`	Comma-separated list of workspace names
`groups`	User’s group memberships (can be mapped to workspaces)

Attribute names may need to be configured as custom attributes or claims in your IdP. The exact configuration depends on your identity provider.

Step 3: Configure Opik

Once your IdP is configured, enter the settings in Opik:

Navigate to Admin Dashboard > SSO Configuration.
Select SAML as the SSO protocol.
Enter the following settings:

Required SAML settings

Field	Description	Example
Domain	Email domain for SSO users	`company.com`
SP Entity ID	Your Service Provider Entity ID	`https://www.comet.com/opik/saml/metadata/...`
SP ACS URL	Assertion Consumer Service URL	`https://www.comet.com/opik/saml/acs/...`
IdP Entity ID	Your IdP’s Entity ID	`https://idp.company.com/...`
IdP SSO URL	URL where users authenticate	`https://idp.company.com/sso/saml`
IdP X.509 Certificate	Public certificate for signature verification	`-----BEGIN CERTIFICATE-----...`

Optional SAML settings

Field	Description	Default
SP Private Key	Private key for signed requests	Not required
Sync Workspaces	Enable automatic workspace assignment	Disabled
IdP Debug	Enable verbose logging for troubleshooting	Disabled
Default Workspace	Workspace for users without workspace attributes	Organization default

Field reference

SP Entity ID

The Service Provider Entity ID uniquely identifies Opik to your IdP. This value should be:

Copied exactly as shown in the Opik SSO configuration page.
Entered in your IdP’s SAML application configuration.
Consistent between Opik and your IdP (case-sensitive).

ACS URL (Assertion Consumer Service)

The ACS URL is where your IdP sends the SAML assertion after successful authentication:

Must be an HTTPS URL.
Must match exactly between Opik and your IdP configuration.
Opik validates this URL when processing assertions.

IdP Entity ID

Your identity provider’s unique identifier. Find this in your IdP’s SAML metadata or configuration:

Okta: Found in the SAML setup instructions or metadata XML.
Azure AD: The “Identifier (Entity ID)” in the SAML configuration.
OneLogin: The “Issuer URL” in the SSO settings.

IdP SSO URL

The URL where users are redirected to authenticate. This is the entry point for the SAML authentication flow:

Usually ends in /sso/saml or similar.
Found in your IdP’s SAML configuration or metadata.

IdP X.509 Certificate

The public certificate used to verify SAML assertion signatures:

Must be in PEM format (starting with -----BEGIN CERTIFICATE-----).
Download from your IdP’s SAML configuration.
Multiple certificates can be provided if your IdP is rotating keys.

Certificate expiration: SAML certificates expire. Monitor expiration dates and update before they expire to avoid authentication disruptions.

Workspace synchronization

Enable workspace sync to automatically assign users to workspaces based on IdP attributes.

Enabling workspace sync

In the SSO configuration, enable Sync Workspaces.
Configure your IdP to send workspace information as a SAML attribute.
Map the attribute to Opik workspace names.

How workspace sync works

When a user authenticates via SAML with workspace sync enabled:

Opik reads the workspace attribute from the SAML assertion.
User is added to the specified workspaces (created if they don’t exist).
User is removed from workspaces not listed in the attribute.

Workspace sync override: When enabled, workspace sync overrides manual workspace assignments on each login. Users will only have access to workspaces specified by your IdP.

Attribute format for workspaces

The workspace attribute should contain a comma-separated list of workspace names:

engineering,data-science,ml-platform

Ensure workspace names match exactly (case-sensitive).

IdP-specific configuration guides

Okta

Azure AD

OneLogin

Configuring Okta

In Okta Admin Console, go to Applications > Create App Integration.
Select SAML 2.0 and click Next.
Enter an app name (e.g., “Opik”) and click Next.
Configure SAML settings:
- Single Sign-On URL: Your ACS URL from Opik
- Audience URI (SP Entity ID): Your SP Entity ID from Opik
- Name ID format: EmailAddress
- Application username: Email
Add attribute statements:
- guid → user.id
- email → user.email
- firstName → user.firstName
- lastName → user.lastName
Complete the wizard and assign users/groups.
Copy the IdP Issuer, Single Sign-On URL, and X.509 Certificate to Opik.

Testing the configuration

After configuring both Opik and your IdP:

Open an incognito/private browser window (to avoid cached sessions).
Navigate to Opik’s login page.
Enter an email address with your configured domain.
You should be redirected to your IdP for authentication.
After authenticating, you should be redirected back to Opik and logged in.

Debug mode: If you encounter issues, enable IdP Debug in the SSO configuration to see detailed logs.

Troubleshooting

Common issues

Issue	Possible cause	Solution
”Invalid SAML response”	Certificate mismatch	Verify the IdP certificate is correctly copied
User not redirected to IdP	Domain not configured	Check the domain setting matches user email
”User not found”	Missing required attributes	Verify `guid` and `email` attributes are mapped
Wrong workspace assignment	Attribute mapping issue	Check workspace attribute format and sync settings
Certificate validation error	Expired certificate	Update the IdP certificate

Troubleshooting checklist

Verify domain configuration: Ensure the email domain matches your SSO configuration.
Check Entity IDs: Both SP and IdP Entity IDs must match exactly (case-sensitive).
Validate ACS URL: The ACS URL must be identical in both Opik and your IdP.
Review attribute mapping: Ensure guid and email attributes are sent by your IdP.
Check certificate format: Certificate should be in PEM format with headers.
Test with debug enabled: Enable IdP Debug to see detailed error messages.
Check IdP logs: Review your identity provider’s logs for SAML errors.

Getting help

If you continue to experience issues:

Gather debug logs with IdP Debug enabled.
Capture the SAML assertion (available in browser developer tools or IdP logs).
Contact Opik support with the logs and assertion for assistance.

Next steps

Configure OIDC as an alternative SSO method.
Set up JWT authentication for programmatic access.
Manage users and their workspace assignments.