Skip to main content
Enterprise SSO with Zeplin

Using SAML 2.0 - based Single Sign-On for Zeplin

Rian avatar
Written by Rian
Updated over 6 months ago

You can use SAML-based single sign-on (SSO) to give your users access to Zeplin through an Identity Provider of your choice.

☝️ This feature is currently only available to teams on the Enterprise Plan.

Your Identity Provider

With SAML SSO, your Identity Provider (IdP) takes on the task of authenticating your users to the level required by your own policies. To begin to use SAML SSO, you will first need to configure the trust between your IdP and Zeplin.

Zeplin supports any IdP that uses standard SAML. This means that almost any SAML2.0 compliant IdP will work seamlessly with Zeplin.  A number of popular IdP providers have been verified to work with Zeplin, and we have created several IdP guides to help with configuration:

       Azure AD               Centrify / Idaptive        GSuite (using SAML)      IBM (IAM)

     JumpCloud       Keycloak              Microsoft ADFS           NetIQ

            Okta                        OneLogin                Ping Identity              Shibboleth

             Generic SAML 2.0 IdP

  • Log in to Zeplin (https://app.zeplin.io) as an Owner or Admin of the organization.

  • Log in to your IdP as an IdP Administrator.

  • Check out one of the help guides above for IdP-specific settings and actions.

Migrating to SAML SSO

Zeplin uses the email address provided by your IdP as the authenticated username. For users migrating from other plans, as long as the email address we know you as matches the email address from your IdP,  there will be no migration activity needed to take advantage of SAML SSO.

For complex IdP setups, such as if the email address in your IdP may not match the one in Zeplin or where multiple email domains may be in use, additional IdP configuration may be required. Contact us at success@zeplin.io to talk about options.

What happens after enabling SAML SSO?

Logging in to Zeplin

You can set Zeplin to force all logins to be via SAML SSO. When users log in, if they are a member of an organization that has mandatory SAML SSO, they will be automatically redirected to your IdP. There is no extra step any users will need to take, such as binding to your IdP, to be able to use SAML SSO.

Before SAML SSO is enforced, users can still log in using SAML SSO by following the "Log in with SSO" link on the login web page.

Logging out of Zeplin

Logging out of Zeplin will end the Zeplin session. However, the user will still be logged in to your IdP and may be automatically logged back in if they access any Zeplin page. At this time, Zeplin does not support Single Log Out (SLO). Remember that logging in to Zeplin, like logging in to any SAML-aware app, means you are logging in to all of your Company's apps and you should take care not to leave yourself logged in to the IdP.

Updating Profiles

Users who are a member of a SAML SSO enabled organization will no longer be able to update their email address in their profile.

If mandatory SAML is disabled at an organization, all affected users will be sent an email with a link to create a password so they will be able to log in.

New or changed users

Zeplin supports user provisioning via the SCIM protocol. See the article User Provisioning With SCIM for configuration information.

For manual user provisioning, your organization's Admin will need to remove users from your workspace when required.

New users will require a Zeplin account, which can be created by inviting them to the Organization. Adding new users will first alert you that this will consume one of your Enterprise plan seats.

To dig deeper into this or any other topics related to Zeplin, reach out to our Customer Success crew at success@zeplin.io to schedule a 30-minute call.

Did this answer your question?