Configure SSO for a team

SSO is available on Postman Professional and Enterprise plans.

Your Team Admin can configure single sign-on (SSO) for a Postman team. To configure SSO for a team, add an authentication method, and then configure the identity provider (IdP) details.

Contents

Configuring single sign-on

To begin adding an authentication method, do the following:

  1. Go to Team Settings, then select Authentication.

  2. Select Add Authentication Method.

  3. Select the authentication type.

  4. Enter an authentication name that's identifiable to your team.

  5. Select Continue to configure the IdP details.

    Authentication Method

    Always check with your authentication provider dashboard or your IT support staff for the correct information to configure SSO.

Configuring the IdP details

After adding the authentication method, you can configure the IdP details.

To configure the IdP details later, select Configure Later. When you're ready to continue configuring the IdP details, see Editing SSO settings.

In the Service provider details (Postman) section, the Entity ID, Login URL, and ACS URL are already populated.

Fill in the Identity provider details section. From your IdP account, enter your SSO URL, Identity provider issuer, and X.509 Certificate. Instead, you can upload a metadata file to configure the IdP details in one step.

To enter details in the Identity provider details section, you must sign in to your IdP account and get the details. Refer to the corresponding section of the documentation and follow the outlined procedure there:

* Only available on Enterprise plans.

Optionally, you can select the Automatically add new users checkbox if you want users to automatically join your team. The first time users sign in to Postman using this authentication method they will automatically join the team.

Editing SSO settings

After configuring the authentication method for your Postman team, you can select the Status toggle to turn it on or off. This is a team-level option, so this setting applies to the whole team.

To update the settings for an authentication method, select Edit, then select Continue.

To delete an authentication method, select Edit, then select Delete.

Managing user accounts

This section describes the following topics:

Creating user accounts

The first time a new Postman user signs in to Postman using the authentication method, a Postman account is created and the user is automatically added to the team if the following is true: the team has seats available and the Automatically add new users checkbox was selected during authentication method configuration.

The user will be automatically associated to the team with a Developer role and have access to team resources.

If the required conditions aren't met to automatically join the team, all Team Admins will receive your request to join the team.

Adding existing user accounts

The first time an existing Postman user signs in to Postman using the authentication method, the user is automatically added to the team if one of the following is true:

The user will be automatically associated to the team with a Developer role and have access to team resources.

If the required conditions aren't met to automatically join the team, all Team Admins will receive your request to join the team.

Automatically adding new users

The Automatically add new users checkbox in your authentication method determines whether users with accounts in your IdP can automatically join your team. Sign in to Postman using the authentication method to automatically join the team.

Automatically add new users will only work if your team has user seats available. Your team size won't automatically increase if more users sign in with SSO.

Managing team sign ins

By default, Postman only supports Service Provider (Postman)-initiated sign ins for Postman Professional or Enterprise teams. Your team must sign in to Postman using the authentication method. If you require users to sign in using an IdP-initiated sign in from your SSO portal, you can generate and copy the Relay state from your authentication method, and then save it in your IdP configuration. This ensures an extra level of security when the sign in process is initiated through a source unknown to Postman.

Removing team access

You must remove users from your team in Postman to prevent access to shared resources. When you remove a user from your team, you'll still retain access to any data they have shared with the team. You'll also be able to reassign their personal workspaces and the data within them to a remaining team member in some situations. To learn more, see Removing team members.

Troubleshooting

Learn more about common SSO issues and how to troubleshoot them.

If you experience an error after signing in to Postman using SSO, see the following errors and possible solutions:

  • Your IdP returns a 404 error. Make sure the SSO URL is correctly copied from your IdP to your authentication method in Postman.
  • Postman returns a 500 error. Make sure the X.509 Certificate is correctly copied from your IdP to your authentication method in Postman.
  • Postman returns a 404 error. Make sure the values in the Service provider details (Postman) section are correctly copied from your authentication method in Postman to your IdP.
  • Postman returns a page explaining that the sign-in request expired. Make sure the Relay state is correctly copied from your authentication method in Postman to your IdP.

For more common SSO issues, see the following:

  • An email address isn't associated with your team members. In your IdP configuration settings, make sure the username format is set to Email.

Next steps

Now that you've set up SSO for your team, you might be interested in learning about how your team will interact with SSO and continuing on with SCIM provisioning.

Last modified: 2023/02/06