Setting up SSO for your team

Single sign-on (SSO) integration is available for Enterprise teams. Contact your account manager for more information.

Setting up SSO (other than Okta)

You'll need some information about your SSO configuration in order to complete setup. Before beginning, ensure you have your:

Entity ID
Identity provider sign-on URL
Public certificate
URLs for the attribute names obtained through your identity provider

Go to your account settings and scroll down to click the Configure SSO button:

The set up modal will open for you to input your SSO information. This is also where you can find a link to Lumen5's meta data. To complete this step, enter your details in the appropriate fields:

After adding the configuration, your SSO will be in pending state! While SSO is pending, users can login using either SSO or their email and password.

Once the configuration has been added, log out and log back in from this link, using your SSO credentials: https://lumen5.com/auth/sso-verification. You're all set!

Setting up SSO with Okta

Find the Lumen5 integration within the Okta App Integration Catalog and click “Add Integration”. Open up your SSO settings inside Okta to gather information you will need:

Go to your account settings and scroll down to click the Configure SSO button:

Configure the following values by copying the information from your Okta integration into the Lumen5 modal that appears.

Lumen5 Name	Okta Name
Entity ID	Issuer or Issuer ID
Identity provider sign-on URL	Sign on URL
Public certificate	Signing certificate

Some of the attributes will need to be manually entered by you:

Lumen5 Name	Set to
First name - Attribute name	user.firstName
Last name - Attribute name	user.lastName
E-mail - Attribute name	user.email

After adding the configuration, your SSO will be in pending state! While SSO is pending, users can login using either SSO or their email and password.

Once the configuration has been added, log out and log back in from this link, using your SSO credentials: https://lumen5.com/auth/sso-verification. You're all set!

SSO Settings

Once SSO is configured, you have the option to decide if using it is mandatory for your team. Once you configure SSO and log in to your account using SSO for the first time, we'll turn this toggle on by default. You can turn it off anytime from your account settings. When this is toggled off, users on your team can login using SSO or their Lumen5 email and password:

We only support service provider initiated login, which means users will have to login from this link: https://lumen5.com/auth/sso-verification. If your team has any links to Lumen5 in your internal portal, please be sure they point to that URL to ensure that your team can login using their SSO credentials.

FAQ:

What is the entity ID of your SP (Service Provider), the base URL, or the default Assertion Consumer Service (ACS) URL?

All of this information can be found in the Lumen5 metadata available in your account settings during SSO setup. You can also access that metadata here.

Which attributes are required in the SAML assertion (field names can be customized if required)?

We need the first name, last name and email.

Do you require signed assertions/responses?

Yes

Do you require the public key in SAML response?

Yes

Do users get auto-provisioned when SSO is configured?

When user accepts an invite sent by a team with SSO enabled, we authenticate their identity with their ID provider, an SAML response is sent to us and we will create a new user account on Lumen5.

Do you support role provisioning through SAML attributes or support SCIM?

Once SSO is enabled, can user accounts be setup to bypass SSO?

SSO settings apply to the whole team. If you make SSO optional, users can login with email or SSO.

Is there support for log forwarding to a SIEM, audit events such admin and user activities?

Updated on: 04/11/2025