Note: SAML SSO is available on Enterprise plans and can be set up by the workspace owner or admins.

What is SAML SSO?

Single sign-on (SSO) is a technology that allows end-users to access multiple applications from a single authorization point that is managed by an Identity Provider (IdP). With SSO, a user only has to enter their login credentials one time on a single page in order to access all of their applications.

Using SSO has the following benefits:

  • Improves experience for end-users by allowing them to sign in once and access all applications and resources they are permitted to use

  • Streamlines user management for workspace admins by giving them more visibility and control over which applications and resources end-users have access to

  • Improves security by limiting attack vectors, enforcing password policies, and leveraging additional measures like multi-factor authentication in the IdP

  • Simplifies user provisioning throughout all supported applications by using Just-in-Time (JIT) provisioning in the IdP (coming soon)

Ahrefs SSO services are built on SAML 2.0 (Security Assertion Markup Language), a leading industry standard for exchanging authentication and authorization data. During authorization, no actual passwords are transferred between your IdP and Ahrefs. Instead, Ahrefs receives a digitally signed SAML assertion of the user identity that is valid for a limited time.

Setting up SAML SSO

Note: Ahrefs’ support team can guide you through the process. Please reach out to us if you have any difficulties with the setup.

Retrieve your Assertion Consumer Service (ACS) URL from Ahrefs

  • Go to Account settings and then SAML single sign-on.

  • Click the Enable SAML single sign-on toggle to open the SAML SSO configuration modal.

  • Click Copy next to the Assertion Consumer Service (ACS) URL field.

You will need this URL to add the Ahrefs application to your IdP on the next step. Note that some IdPs might require you to provide the SAML Issuer, also known as Entity ID. This is a unique string that identifies Ahrefs as a Service Provider issuing a SAML request. You can find this string in the SAML SSO configuration modal.

Add Ahrefs to your Identity Provider

As this process will depend on the specific IdP, we recommend that you refer to the reference material provided by your IdP. Below are Ahrefs’ requirements for some of the fields you may encounter when setting up SAML SSO in your IdP:

  • Name ID Format must be Email

  • Response must be Signed

  • Requests must be Unsigned

  • Signature Algorithm must be RSA (PKCS #1 v1.5)

  • Assertions must be Unencrypted

When you add the Ahrefs application to your IdP, it will provide you with the metadata XML file which Ahrefs will use to connect to your IdP and authenticate users when they sign in.

Add Identity Provider metadata XML to Ahrefs

After adding Ahrefs to your IdP, next you’ll add your SSO metadata information to Ahrefs.

  • Go to Account settings and then SAML single sign-on.

  • Toggle on Enable SAML single sign-on to open the SAML SSO configuration modal where you need to complete the set up.

Enter the content of the XML issued by your IdP into the IdP metadata XML field.

If the XML metadata is valid, you’ll be able to save changes. As a result, SAML SSO will automatically be enabled for your workspace and your end-users will be able to sign in via SAML SSO in addition to other authentication methods such as email and password credentials.

Note: The option to enforce sign in via SAML SSO only will be coming soon.

Just-in-Time (JIT) provisioning (coming soon)

Note: This feature is coming soon. For now, you must invite your end-users manually and they must accept their invitation before they can start using SAML SSO.

JIT provisioning will save your workspace admins from having to manually invite new users to your workspace. Instead, a new user who signs in via SAML SSO will automatically join your workspace as a member.

Did this answer your question?