Single Sign-On via SAML is available for customers on an Enterprise plan in ftrack 3.5.15 and later. Contact support if you do not see the option in System settings.

Using Security Assertion Markup Language (SAML), a user can sign in to ftrack via Single Sign-On (SSO) by authenticating via one of the many Identity providers that support authentication using SAML. Using SSO users don’t need to remember usernames and passwords and can sign in to all supported cloud applications by signing-in one time for all services. For Administrators, it’s incredibly useful because all services and accounts can be managed in one central location.

With an Enterprise account, ftrack can be configured to authenticate users over SAML from system settings. You may allow existing users, both manually created in ftrack or synced from LDAP to authenticate with SAML. If enabled, users can also be created automatically when authenticated if they do not already exist.

Follow the instructions below to set up SAML authentication using one of the verified providers or see the generic instructions for other providers. Once you have configured the SAML identity provider in ftrack, you may test the configuration before enabling it.


See instructions for setting up SAML applications using OneLogin.

Add a new “SAML Test Connector (IdP w/attr)” application and give it a name and description. On the SSO tab, copy the following values to ftrack

Issuer URL
Entity ID

SAML 2.0 Endpoint
    Identity Provider single sign on service URL

SLO Endpoint
    Identity Provider single sign logout service URL

In the configuration tab, add the following settings:

ACS (Consumer) URL Validator
<server url>/saml/metadata

ACS (Consumer) URL
    <server url>/saml/acs

Single Logout URL
    <server url>/saml/slo

Remember to add the application to your users before testing it.


See instructions for setting up SAML applications using Okta.

Navigate to Applications > <Your application> in the Developer console Classic UI. Select the Sign on tab and click View setup instructions.

Copy the (1) Sign on and (2) Sign out to ftrack Settings. The (3) Identity Provider Issuer should be copied to the Entity ID setting. Copy the (4) Certificate and paste the contents of the text file as Identity provider public key. Under the advanced settings field, add the following:

{"security": { "wantAttributeStatement": false }}

In the Okta developer console, edit your application and add the following:

Single sign on URL
    <server url>/saml/acs

Audience URI (SP Entity ID)
    <server url>/saml/metadata

Google G Suite

See Set up your own custom SAML application using SAML-based Federated SSO for detailed instructions.

Navigate to SAML Apps within your google admin console. And select to create a new custom app.

Copy the options for SSO URL, Entity ID to ftrack settings. Download the certificate and paste the contents of the text file as “Identity provider public key”. Under the advanced settings field, add the following:

{"security": { "wantAttributeStatement": false }}

In Google admin, on the step “Service Provider Details”, add the following:

    <server url>/saml/acs

Entity ID
    <server url>/saml/metadata

If you select “Signed Response” in Google’s settings, you’ll need to provide valid ftrack private and public keys in ftrack settings.

Other identity providers

Configure your identity Provider

First step is to configure your identity provider. A wide variety of Identity Providers should be supported but currently we have only had a chance to confirm a few. See below for instructions on how to configure SAML for other providers.

The SAML endpoints supported by your ftrack instance are as follows:

Service Provider Entity ID (Metadata)

Assertion consumer service (ACS) URL

Single Logout service (SLO) URL

Configure your ftrack instance

The next step is to configure ftrack, the configuration options are reachable from System Settings -> SAML Settings.

Enable SAML login
Whether or not to enable authentication through SAML. Not required to test the configuration.

Create user on login
If enabled, users that can authenticate through the identity provider but do not yet have a ftrack account will be created upon first login. If this option is not true you must make sure that the user already exist in ftrack and are of the type “saml” alternatively you can configure users synchronized through ldap to be able to authenticate through saml from the “System Settings” -> “LDAP Settings” page by setting the “Allowed authentication method” to SAML.

Entity ID (required)
The identifier of the identity provider. It should be an URI and may be referred to as Issuer URL, Entity ID or SAML metadata URL, or similar.

Identity Provider single sign on service URL (required)
URL Target of the IdP where the Authentication Request Message will be sent. May be referred to as SSO URL, SAML endpoint, or similar.

Identity Provider single sign logout service URL (optional)
URL Location of the IdP where SLO (Single Logout) Request will be sent. May be referred to as SLO URL, SLO Endpoint, or similar.

ftrack public key (optional)
Public x509 certificate of the service provider (ftrack).

ftrack private key (optional)
If you wish to use a an identity provider with signed assertion and encryption, specify your private certificate here. 

Identity provider public key (required)
Public x509 certificate of the Identity Provider. May be referred to as Certificate, X.509 Certificate etc.. If provided as a file, copy the contents and paste them in the field.

Advanced settings (optional)
A JSON formatted dictionary that will be merged with the primary settings. It can be used if the identity provider requires options to be set if not available as regular options. For additional information see the python-saml documentation.

Did this answer your question?