Announcing Chalk Compute!
Chalk home page
  1. Security
  2. Single-Sign On (SAML)

Chalk is supports Single Sign-On (SSO) and is compatible with any Identity Provider that supports SAML 2.0, including but not limited to:

Supported Features

Chalk supports both Identity Provider (IdP)-initiated SSO Login, as well as Service Provider (SP)-initiated login, using well-known email domains submitted by your team.

Chalk also supports provisioning users with just-in-time provisioning, allowing users to access the dashboard even if they not been explicitly invited by an owner. Users who log in via SSO with this provisioning will have the Viewer role.

Customers with Self-Hosted Web Dashboards

For customers whose self-hosted deployments include a full API server and frontend deployment via helm, this page is only part of the setup needed to configure SAML. After completing this guide, please refer to the Cloud Auth documentation to complete setup.

For the rest of the setup, screenshots will refer to example environments on the https://chalk.ai site. Note that the values will differ than those found on your deployment’s single-sign on page, and the latter should be used when setting up SAML applications.

Setup Steps

For team owners, all configuration can be found in the settings section of your environments, under “Single Sign-On”. This page includes both the details needed to set up a SAML application in your identity provider, as well as the form to submit SAML certificates and well-known email domains that can access your SAML application.

Identity Provider Setup

The details necessary to set up a SAML application within your Identity Provider can be found at the bottom of the page:

SAML Idp Setup Details

In addition, it is important that the following is configured in your SAML application:

  • The main assertion subject should be the email.
  • Chalk requires that assertions be signed, but not necessarily encrypted with our certificate.

For detailed steps on how to set up a SAML application with a certain identity provider, follow these guides:

Chalk Setup

After creating a SAML application within your identity provider, the Single-Sign On page is where you can submit details to Chalk to add new application. At the top of the page, there is a button to add additional configurations. To integrate your SAML application with Chalk, the following details are needed:

  • Name
    • This is not a field provided by your identity provider, but rather a Chalk-internal name used to reference this application. If your team uses multiple SSO applications, this will be shown to users when using “Sign In via SSO” from our login page.
  • Issuer
  • Login URL
  • Logout URL (this might be the same as the Login URL)
  • Signing Certificate

If your Identity Provider provides a metadata XML file, this will contain all the necessary fields and can be submitted in lieu of inputting the above fields.

Once the configuraiton is submitted, the SAML application will be ready to use and can be tested from your identity provider.

SAML Chalk Setup Details

Sign in Via SSO

Chalk supports sign in via SSO from our dashboard’s login page, if your email domain is registered with Chalk. Email domains are availble to set up once a SAML application is configured for your team.

To register your domain with Chalk:

  • Navigate to your team’s Signle-Sign On page
  • In the section “Email Domains”, add any domains used by your team, and which SAML applications they should be redirected to
    • If multiple configurations are selected, users will choose which one to redirect to from our login page
  • Your email domain will be submitted for review with the Chalk Support team. Once approved, emails matching your team’s domains will redirect to your team’s configured SAML applications.

Chalk Sign in With SSO