You can use SAML-based single sign-on (SSO) to give your users access to Zeplin through an Identity Provider of your choice.
☝️ This feature is currently only available to teams on the Enterprise Plan.
Your Identity Provider
With SAML SSO, your Identity Provider (IdP) takes on the task of authenticating your users to the level required by your own policies. To begin to use SAML SSO, you will first need to configure the trust between your IdP and Zeplin.
Zeplin supports any IdP that uses standard SAML. This means that almost any SAML2.0 compliant IdP will work seamlessly with Zeplin. A number of popular IdP providers have been verified to work with Zeplin, and we have created several IdP guides to help with configuration:
- Log in to Zeplin (https://app.zeplin.io) as an Owner or Admin of the organization.
- Log in to your IdP as an IdP Administrator.
- Check out one of the help guides above for IdP-specific settings and actions.
Migrating to SAML SSO
Zeplin uses the email address provided by your IdP as the authenticated username. For users migrating from other plans, as long as the email address we know you as matches the email address from your IdP, there will be no migration activity needed to take advantage of SAML SSO.
For complex IdP setups, such as if the email address in your IdP may not match the one in Zeplin or where multiple email domains may be in use, additional IdP configuration may be required. Contact us at firstname.lastname@example.org to talk about options.
What happens after enabling SAML SSO?
Logging in to Zeplin
You can set Zeplin to force all logins to be via SAML SSO. When users log in, if they are a member of an organization that has mandatory SAML SSO, they will be automatically redirected to your IdP. There is no extra step any users will need to take, such as binding to your IdP, to be able to use SAML SSO.
Before SAML SSO is enforced, users can still log in using SAML SSO by following the "Log in with SSO" link on the login web page.
Logging out of Zeplin
Logging out of Zeplin will end the Zeplin session. However, the user will still be logged in to your IdP and may be automatically logged back in if they access any Zeplin page. At this time, Zeplin does not support Single Log Out (SLO). Remember that logging in to Zeplin, like logging in to any SAML-aware app, means you are logging in to all of your Company's apps and you should take care not to leave yourself logged in to the IdP.
Users who are a member of a SAML SSO enabled organization will no longer be able to update their email address in their profile.
If mandatory SAML is disabled at an organization, all affected users will be sent an email with a link to create a password so they will be able to log in.
New or changed users
Zeplin does not automatically handle new user provisioning at this time.
Your organization's Admin will need to remove users from your workspace when required.
New users will first require a Zeplin account, which can be created by inviting them to the Organization. Adding new users will first alert you that this will consume one of your Enterprise plan seats.