SAML authentication - Temporal Cloud feature guide

To authenticate the users of your Temporal Cloud account, you can connect an identity provider (IdP) to your account by using Security Assertion Markup Language (SAML) 2.0.

info

Enabling this feature adds a charge to your account. For more information, contact your account manager.

Integrate SAML with your Temporal Cloud account

1. Locate your Temporal Cloud Account Id. One way to do so is to sign in to Temporal Cloud and find your Namespace Id. The Account Id is the five or six characters following the period (.), such as f45a2. You will need the Account Id to construct your callback URL and your entity identifier.
2. Configure SAML with your IdP by following one of these sets of instructions:
   • Microsoft Azure Active Directory (Azure AD)
   • Okta
3. Share your connection information with us and test your connection.

How to configure SAML with Azure AD

If you want to use the general Microsoft login mechanism, you don't need to set up SAML with Azure AD. Just select Continue with Microsoft on the Temporal Cloud sign-in page.

To use Azure AD as your SAML IdP, create an Azure AD Enterprise application.

1. Sign in to the Microsoft Azure AD portal.

2. On the home page, under Manage Azure Active Directory, select View.

3. On the Overview page near the top, select Add > Enterprise application.

4. On the Browse Azure AD Gallery page near the top, select Create your own application.

5. In the Create your own application pane, provide a name for your application (such as temporal-cloud) and select Integrate any other application you don't find in the gallery.

6. Select Save.

7. In the Getting Started section, select 2. Set up single sign on.

8. On the Single sign-on page, select SAML.

9. In the Basic SAML Configuration section of the SAML-based Sign-on page, select Edit.

10. In Identifier (Entity ID), enter the following entity identifier, including your Account Id where indicated:

    urn:auth0:prod-tmprl:ACCOUNT_ID-saml

    A correctly formed entity identifier looks like this:

    urn:auth0:prod-tmprl:f45a2-saml

11. In Reply URL (Assertion Consumer Service URL), enter the following callback URL, including your Account Id where indicated:

    https://login.tmprl.cloud/login/callback?connection=ACCOUNT_ID-saml

    A correctly formed callback URL looks like this:

    https://login.tmprl.cloud/login/callback?connection=f45a2-saml

12. You can leave the other fields blank. Near the top of the pane, select Save.

13. In the Attributes & Claims section, select Edit.

14. We require the user's full email address when connecting to Temporal. In the Required claim section, set emailaddress and name. Verify that Unique User Identifier (NameID) is set to user.userprincipalname [nameid-format:emailAddress].

15. Collect information that you need to send to us:

    • In the SAML Certificates section of the SAML-based Sign-on page, select the download link for Certificate (Base64).
    • In the Set up APPLICATION_NAME section of the SAML-based Sign-on page, copy the value of Login URL.

To finish setting up Azure AD as your SAML IdP, see Finish SAML configuration.

How to configure SAML with Okta

To use Okta as your SAML IdP, configure a new Okta application integration.

1. Sign in to the Okta Admin Console.

2. In the left navigation pane, select Applications > Applications.

3. On the Applications page, select Create App Integration.

4. In the Create a new app integration dialog, select SAML 2.0 and then select Next.

5. On the Create SAML Integration page in the General Settings section, provide a name for your application (such as temporal-cloud) and then select Next.

6. In the Configure SAML section in Single sign on URL, enter the following callback URL, including your Account Id where indicated:

   https://login.tmprl.cloud/login/callback?connection=ACCOUNT_ID-saml

   A correctly formed callback URL looks like this:

   https://login.tmprl.cloud/login/callback?connection=f45a2-saml

7. In Audience URI (SP Entity ID), enter the following entity identifier, including your Account Id where indicated:

   urn:auth0:prod-tmprl:ACCOUNT_ID-saml

   A correctly formed entity identifier looks like this:

   urn:auth0:prod-tmprl:f45a2-saml

8. We require the user's full email address when connecting to Temporal.

   • In Name ID format, select EmailAddress.
   • In Attribute Statements, set email and name.

9. Select Next.

10. In the Feedback section, select Finish.

11. On the Applications page, select the name of the application integration you just created.

12. On the application integration page, select the Sign On tab.

13. Under SAML Setup, select View SAML setup instructions.

14. Collect information that you need to send to us:

    • Copy the IdP settings.
    • Download the active certificate.

To finish setting up Okta as your SAML IdP, see the next section, Finish SAML configuration.

How to finish your SAML configuration

After you configure SAML with your IdP, we can finish the configuration on our side. Create a support ticket that includes the following information:

• The sign-in URL from your application
• The X.509 SAML sign-in certificate
• One or more IdP domains to map to the SAML connection

Generally, the provided IdP domain is the same as the domain for your email address. You can provide multiple IdP domains.

When you receive confirmation from us that we have finished configuration, log in to Temporal Cloud. This time, though, enter your email address in Enterprise identity and select Continue. Do not select Continue with Google or Continue with Microsoft. You will be redirected to the authentication page of your IdP.