SAML SSO is only available to Enterprise Customers.
Please contact email@example.com to find out more.
Log into Runn as an account administrator.
Go to Settings -> Account Settings and press Edit
Turn on SAML SSO
Note: SSO Login Only disabled until after you have tested your SAML SSO set-up. See Additional Settings below.
Edit Account Settings again.
You'll see a new field Alias, below your Runn Account Name and Company Website.
Add an Alias, which is used for easily identifying your account.
Now scroll down the page and you will see the SAML Settings box.
Add the Runn SSO Callback URL to your application.
Fill in the SAML Issuer (also called Identifier, Entity ID, or Name)
Fill in the SSO Target URL (also called Login URL, Target, or SSO URL)
Add in the IDP Certificate (also called Signing Certificate, or Security Certificate)
This should be base64 encoded and start with
Email claim defaults to the recommended value. If the email is passed in a different field, update this to the correct field.
Name claim defaults to the recommended value. If the email is passed in a different field, update this to the correct field.
Press Save on the SAML Settings box.
This setting allows you to customise how long a session lasts. As Runn users web sockets, while the browser window is open and active, sessions are continuously refreshed.
You can choose 15 minutes to meet the highest level of OSWAP, or a more moderate experience so users aren't logged out when taking short breaks or going on lunch.
Our default is 2 weeks, which ensures timesheet users who only log in once a week do not need to keep logging in.
SSO Login Only
Ensure you have tested your SAML SSO before turning this on, or you will no longer have access to your account.
This will invalidate logging-in with email addresses and passwords, as well as creating new accounts with email and password.
For your testing, ensure you're using the email address of a user who has already an account with Runn or has been invited to join Runn.
Sign out of Runn.
Go to app.runn.io and click the Sign in with SSO link on the bottom right of the Runn sign-up page.
Write the account alias that you entered in the SSO setup OR your Runn Account ID.
You will be re-directed to your SAML login page.
If successful, you will be redirected back to Runn either logged-in, or you will be prompted to set-up a new Runn account if you were using the email address of a user that has been invited to Runn.
If you receive an error, ensure the SAML settings are correct and the user logging-in has an account with Runn or an invite to join your Runn account.
If you still have issues, contact Runn via the chat button in the bottom right corner of your Runn account or email firstname.lastname@example.org for help resolving the issue.
Can I use a URL to automatically redirect me to the SAML login page?
When you set up your alias, you will be able to log in automatically by going to https://app.runn.io/sso/<alias>.
We can also provide a subdomain such as https://myapp.runn.io for an additional monthly cost.
Can I log users out of Runn via Single Logout?
Single Logout is not currently supported by Runn. We suggest you use auto logout instead. See above. If you require Single Logout please let us know via the in-app chat in the bottom right corner of your Runn account or email email@example.com
I can an error saying "No email found in email claim"
SAML uses claims or attributes to communicate information. We must know the email of the person with comes from an email claim. We default to Microsoft Azure but other services may use different names for this claim/attribute such as "email" or "email_address". Search your SSO providers help for "user claims" or "user attributes" and see what it suggests for the email claim. At the same time you can also update the name claim.
Example claim names
email and fullname
See Jumpcloud help docs.
See Okta SAML instructions.
Where can I find my Runn Account ID?
You can find your Runn Account ID displayed under your Account Settings in Runn.