All Collections
User, Account & Permission Settings
Authentication and SSO
SAML Single Sign On
Setting up SAML SSO
Setting up SAML SSO

General Setup for SAML Single Sign On

Rowan Savage avatar
Written by Rowan Savage
Updated over a week ago

SAML SSO is only available to Enterprise Customers.

Please contact sales@runn.io to find out more.

Set up

  1. Log into Runn as an account administrator.

  2. Ensure that you are in the "Live" account.

General Settings

  1. Go to Settings -> Account Settings and press Edit

  2. Turn on SAML SSO

  3. Keep SSO Login Only disabled until after you have tested your SAML SSO set-up and applied additional settings

  4. Press Save

  5. Edit Account Settings again.

  6. You'll see a new field Alias, below your Runn Account Name and Company Website. It is used for optional subdomain-based redirection (see "FAQ: Can I use a URL to automatically redirect me to the SAML login page?")

  7. Add an Alias, which is used for easily identifying your account.

  8. Now scroll down the page and you will see the SAML Settings box.

SAML Settings

  1. Add the Runn SSO Callback URL to your application.

  2. Fill in the SAML Issuer (also called Identifier, Entity ID, or Name)

  3. Fill in the SSO Target URL (also called Login URL, Target, or SSO URL)

  4. Add in the IDP Certificate (also called Signing Certificate, or Security Certificate)
    This should be base64 encoded and start with
    -----BEGIN CERTIFICATE-----

  5. Email claim defaults to the recommended value. If the email is passed in a different field, update this to the correct field.

  6. Name claim defaults to the recommended value. If the email is passed in a different field, update this to the correct field.

  7. Press Save on the SAML Settings box.

Additional Settings

Session Timeout

This setting allows you to customise how long a session lasts. As Runn uses web sockets, while the browser window is open and active, sessions are continuously refreshed.

You can choose 15 minutes to meet the highest level of OSWAP, or a more moderate experience so users aren't logged out when taking short breaks or going on lunch. Our default is 2 weeks, which ensures timesheet users who only log in once a week do not need to keep logging in.

SSO Login Only

Ensure you have tested your SAML SSO before turning this on, or you will no longer have access to your account.

This will invalidate logging-in with email addresses and passwords, as well as creating new accounts with email and password.

Testing

  1. For your testing, ensure you're using the email address of a user who has already an account with Runn or has been invited to join Runn.

  2. Sign out of Runn.

  3. Go to app.runn.io and click the Sign in with SSO link on the bottom right of the Runn sign-up page.

  4. Write the account alias that you entered in the SSO setup OR your Runn Account ID.

  5. You will be re-directed to your SAML login page.

  6. If successful, you will be redirected back to Runn either logged-in, or you will be prompted to set-up a new Runn account if you were using the email address of a user that has been invited to Runn.

  7. If you receive an error, ensure the SAML settings are correct and the user logging-in has an account with Runn or an invite to join your Runn account.

  8. If you still have issues, contact Runn via the chat button in the bottom right corner of your Runn account or email help@runn.io for help resolving the issue.

FAQ

Can I use a URL to automatically redirect me to the SAML login page?

When you set up your alias, you will be able to log in automatically by going to https://app.runn.io/sso/<alias>.
โ€‹

We can also provide a subdomain such as https://myapp.runn.io for an additional monthly cost.

Can I log users out of Runn via Single Logout?

Single Logout is not currently supported by Runn. We suggest you use auto logout instead. See above. If you require Single Logout please let us know via the in-app chat in the bottom right corner of your Runn account or email help@runn.io

I can an error saying "No email found in email claim"

SAML uses claims or attributes to communicate information. We must know the email of the person with comes from an email claim. We default to Microsoft Azure but other services may use different names for this claim/attribute such as "email" or "email_address". Search your SSO providers help for "user claims" or "user attributes" and see what it suggests for the email claim. At the same time you can also update the name claim.

Example claim names

JumpCloud
โ€‹email and fullname
See Jumpcloud help docs.

Okta
See Okta SAML instructions.

Azure AD

See Azure AD SAML instructions.

Where can I find my Runn Account ID?

You can find your Runn Account ID displayed under your Account Settings in Runn.

Can I test SSO in the "Test" account first?

While you can also configure SSO in the "Test" account, there is no "preview" or "staging" functionality. The SSO settings will be applied to all logins for users who last viewed your "Test" account. In order to test SSO before rolling it out to your users, enable it on the "Live" account. Then enable "SSO Login Only" once you are certain it works as intended.

When changing an existing SSO configuration, we recommend coordinating a cutover period with your users (where access to the system is not available).

Do you support Identity Provider (IdP) initiated logins?

Yes. You can use the SSO Target URL shown in "Account > Settings > SAML Settings" in your Identity Provider to create login shortcuts within your intranet or dashboards. In this case, Runn as the Service Provider (SP) expects a SAML payload to be attached to the request.

Related Articles
Deleting your Runn account
Runn Integrations - Time Tracking Tools
Single Sign On with Azure AD
Single Sign On with Okta SAML
Migrating to a new SSO System with New emails
Did this answer your question?