Guide to SAML SSO

You need to have added and verified at least one domain for SSO to be available but you are free to add more. When SSO is configured all users who are 1) members of your workspace and 2) use an email address matching any of your verified domains will be able to log in via your identity provider.

Users who do not use any of your verified domains or who use personal emails, like gmail.com, will not log in with SSO. You can use as many domains with SSO as you want but we only support a single identity provider. A domain can only be registered to a single workspace. If you need assistance then please reach out to customer support or your customer success manager.

On epidemicsound.com, select the menu at the top right corner, choose Organization and then select the Identity & Provisioning tab. Use the Add domain button to start adding your first domain.

Once added you will immediately be prompted to verify your domain.

Completing the verification will require access to your DNS provider. Reach out to your IT-team for help if you lack this access.

Once the verification process is complete your new domain will display as “Verified”.

To start the process of configuring SSO, click the button Configure SSO. In the first step that appears you will find some SAML properties that you will need when configuring your identity provider.

We provide dedicated guides for Okta and Microsoft Entra ID (formerly Azure AD) but you can also configure any SAML 2.0 compliant identity provider:

• SAML SSO with Okta
• SAML SSO with Entra ID
• Set up custom SAML 2.0 configuration

Complete any of the guides above to configure your identity provider. Once complete you will be ready to proceed with enabling SAML SSO for your Epidemic Sound workspace.

To complete the integration you need to connect your identity provider with your Epidemic Sound workspace. Click the Next button on the SAML properties step (Identity & Provisioning → Configure SSO) to get to the Edit SSO configuration step. Here you have two options:

• Enter a metadata URL (recommended): With the metadata URL we can fetch the necessary information for you and renewing the public certificate will be simpler in the future.
• Fill in the information manually: See your identity provider documentation for where to find the Sign on URL, Issuer/Entity ID and Public certificate for your specific identity provider.

Once you’ve reviewed that the information looks correct you can go ahead and Enable SSO. When first enabling SSO it is set up as an optional login method, members can still continue logging in using any login method.

At this stage we strongly recommend that you test logging in via SSO in an “incognito” window before proceeding with requiring SAML SSO to reduce the risk of being locked out. You can use the start URL: https://www.epidemicsound.com/sso/saml/[Tenant ID]/. Tenant ID can be found if you click the Edit configuration button and go back to SAML properties.

We use the user’s email address as the way to identify your users in our system. This means the email address in your identity provider and in our system must match for the user to be able to login.

It is possible to require your workspace members to only login via SAML SSO. To require SSO on your workspace, toggle the Require SSO option on the Identity & Provisioning tab and select Require in the confirmation modal that appears. Members with email addresses not matching any of your verified domains will still be able to login using any login method.

Before requiring SSO, please ensure that all impacted workspace members have been assigned to the application in your identity provider.