Note: SAML SSO is available on Enterprise plans and can be set up by the workspace owner or admins.
What is SAML SSO?
Single sign-on (SSO) is a technology that allows end-users to access multiple applications from a single authorization point that is managed by an Identity Provider (IdP). With SSO, a user only has to enter their login credentials one time on a single page in order to access all of their applications.
Using SSO has the following benefits:
Improves experience for end-users by allowing them to sign in once and access all applications and resources they are permitted to use
Streamlines user management for workspace admins by giving them more visibility and control over which applications and resources end-users have access to
Improves security by limiting attack vectors, enforcing password policies, and leveraging additional measures like multi-factor authentication in the IdP
Simplifies user provisioning throughout all supported applications by using Just-in-Time (JIT) provisioning in the IdP (coming soon)
Ahrefs SSO services are built on SAML 2.0 (Security Assertion Markup Language), a leading industry standard for exchanging authentication and authorization data. During authorization, no actual passwords are transferred between your IdP and Ahrefs. Instead, Ahrefs receives a digitally signed SAML assertion of the user identity that is valid for a limited time.
Setting up SAML SSO
Note: Ahrefs’ support team can guide you through the process. Please reach out to us if you have any difficulties with the setup.
Retrieve your Assertion Consumer Service (ACS) URL from Ahrefs
Go to Account settings and then SAML single sign-on.
Click the Enable SAML single sign-on toggle to open the SAML SSO configuration modal.
Click Copy next to the Assertion Consumer Service (ACS) URL field.
You will need this URL to add the Ahrefs application to your IdP on the next step. Note that some IdPs might require you to provide the SAML Issuer, also known as Entity ID. This is a unique string that identifies Ahrefs as a Service Provider issuing a SAML request. You can find this string in the SAML SSO configuration modal.
Add Ahrefs to your Identity Provider
As this process will depend on the specific IdP, we recommend that you refer to the reference material provided by your IdP. Below are Ahrefs’ requirements for some of the fields you may encounter when setting up SAML SSO in your IdP:
Name ID Format must be Email
Response must be Signed
Requests must be Unsigned
Signature Algorithm must be RSA (PKCS #1 v1.5)
Assertions must be Unencrypted
When you add the Ahrefs application to your IdP, it will provide you with the metadata XML file which Ahrefs will use to connect to your IdP and authenticate users when they sign in.
Add Identity Provider metadata XML to Ahrefs
After adding Ahrefs to your IdP, next you’ll add your SSO metadata information to Ahrefs.
Go to Account settings and then SAML single sign-on.
Toggle on Enable SAML single sign-on to open the SAML SSO configuration modal where you need to complete the set up.
Enter the content of the XML issued by your IdP into the IdP metadata XML field.
If the XML metadata is valid, you’ll be able to save changes. As a result, SAML SSO will automatically be enabled for your workspace and your end-users will be able to sign in via SAML SSO in addition to other authentication methods such as email and password credentials.
Enforcing SAML SSO
Once you have completed your SAML SSO configuration, your end-users will be able to sign in via SAML SSO in addition to other authentication methods such as email and password credentials.
To ensure that users can only sign in using SAML SSO and no other method, update the Authentication method to Only SAML SSO.
Note that the workspace owner and admins will always be able to sign in using their email and password credentials. This is to ensure that they can access your company workspace in the event of IdP or SAML failure.
Provisioning users with SCIM
System for Cross-domain Identity Management (SCIM) is a set of open standard protocols that allow a third-party IdP to manage users within your organization's Ahrefs workspace. Once you enable SCIM, any user assigned to the Ahrefs application in your IdP will automatically be added to your Ahrefs workspace. If a user is unassigned from the Ahrefs application in the IdP, they will be removed from your Ahrefs workspace.
Please reach out to Ahrefs' support team to guide you through the process of enabling SCIM for your IdP.