How to configure SAML single sign-on (SSO) in Otter.ai

. 4 min read

SAML-based single sign-on (SSO) gives members access to Otter through an identity provider (IDP) of your choice.

Otter supports
• Identity Provider (IdP) Initiated Flow
• Service Provider (SP) Initiated Flow
• Just-in-time (JIT) provisioning. An Otter account is created on-the-fly according to the SAML attributes when users log in to Otter via IdP-initiated login.
• Assertion and NameID Encryption
• Session duration configured in your IdP

Who can use this feature
• Available to Otter for Enterprise plan (100 seats minimum) only
• Only the admin can configure SSO for the team. Once configured, SSO is available for use for every team member.

If your organization uses Okta as the identity provider, please read the setup guide here. Otherwise, please continue.


Before you start ...
Please contact your Otter.ai account manager to enable SSO before you proceeding to the following setup steps.

Step 1: Configure your identity provider

Before you start: know your Team Handle

On Otter.ai Team Settings page, choose "Settings & Security" tab, locate "SAML Authentication", and click "Configure". You can find your team handle at the top of the popup dialogue.

NOTE: Replace yourhandle in the following instructions with your team’s handle

Single Sign On URL

Also known as “SSO post-back URL”, “Assertion Consumer Service URL”, “ACS URL”

https://otter.ai/saml/yourhandle

Entity ID

Also known as “Audience”

https://otter.ai/saml/metadata/yourhandle

NameID

NameID must be unique, pseudo-random, and will not change for the user over time — like an employee ID number. The NameID Format must be “persistent”

<saml2:Subject>
    <saml2:NameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
        userName
    </saml2:NameID>
</saml2:Subject>

Attributes

Otter supports the following SAML Attribute formats:

urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
urn:oasis:names:tc:SAML:2.0:attrname-format:uri

  • first_name: (required) the user’s first name
    <saml2:Attribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">    
        <saml2:AttributeValue xsi:type="xs:string">        
            first_name_value   
        </saml2:AttributeValue>
    </saml2:Attribute>
    or
    <saml2:Attribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">    
        <saml2:AttributeValue xsi:type="xs:string">        
            first_name_value    
        </saml2:AttributeValue>
    </saml2:Attribute>
  • last_name: (required) the user’s last name
    <saml2:Attribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">    
        <saml2:AttributeValue xsi:type="xs:string">        
            last_name_value   
        </saml2:AttributeValue>
    </saml2:Attribute>
    or
    <saml2:Attribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">    
        <saml2:AttributeValue xsi:type="xs:string">        
            last_name_value   
        </saml2:AttributeValue>
    </saml2:Attribute>
  • email: (required) the user’s email address
    <saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">    
        <saml2:AttributeValue xsi:type="xs:string">        
            email_value    
        </saml2:AttributeValue>
    </saml2:Attribute>
    or
    <saml2:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">    
        <saml2:AttributeValue xsi:type="xs:string">        
            email_value    
        </saml2:AttributeValue>
    </saml2:Attribute>
    or
    <saml2:Attribute Name="urn:oid:1.2.840.113549.1.9.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">    
        <saml2:AttributeValue xsi:type="xs:string">        
            email_value    
        </saml2:AttributeValue>
    </saml2:Attribute>

SAML Metadata

If your IdP asks for SAML metadata XML file during setup, it can be downloaded at

https://otter.ai/saml/metadata/yourhandle

Step 2: Set up SAML SSO for Otter

  1. Visit https://otter.ai/manage-team/team-settings
  2. In Privacy & Security tab, find SAML Authentication. Click “Configure”.
  3. Enter your SAML Endpoint URL (this came from setting up your identity provider earlier.) This is where authentication requests from Otter will be sent.
  4. Enter your Identity Provider Issuer URL (also known as the IdP Entity ID).
  5. Copy the entire x.509 Public Certificate from your identity provider.
  6. (Optional) In advanced settings, you can choose to sign AnthNRequest. You can also choose to require SAML Assertion and NameID encryption. Make sure the configuration in your IdP matches the selections in Otter.
  7. To save changes, click “Save and Test”. A test authentication will be attempted to verify your configuration.
  8. You can enable SSO for your team once the above test passes. Upon enabling, SSO is optional, and other sign-in methods are still allowed. This is recommended during testing period to ensure your team members have an uninterrupted experience.
  9. When it's ready, remember to change to require SSO for all team members, so as to prevent members from using other sign-in methods.

If you encounter problems during the setup, please contact support@otter.ai for help.