Integrating your SAML Identity Provider

Parsec for Teams provides a generic authentication provider for SAML based authentication, which allows owners of a team on Parsec to manually configure any SAML-enabled Identity Provider (IDP) system. Parsec supports Service Provider initiated SSO (Single Sign-On) and the Identity Provider initiated SLO (Single Logout). Parsec does not support Identity Provider initiated SSO.


Important notes

  • SAML-enabled users cannot change their password, use their old Parsec password, or set up MFA within Parsec. The Identity Provider will handle these operations instead.
  • Administrators can choose an alias for their team's SAML authentication in the Teams admin portal, to be used instead of your Team ID in order to login. Each member of your team will need to know this alias to log in via SAML.
  • Once a user sets up SAML login, they will need to use SAML as long as they're a member of your team.
  • Default settings force users to re-authenticate every 8 hours on their client devices. However, active users automatically refresh their session based on activity. Team administrators can increase the re-authentication period to up to 720 hours in the Teams admin portal.
  • IDP administrators can remove login access to Parsec via their Identity Provider. This will not invalidate a user's current session, but it will prevent them from logging in again after the session refreshes.
  • To remove someone from a Team, an Administrator will have to remove them from the Team on the Teams admin portal.
  • You cannot initiate SAML authentication via your Identity Provider. You will receive a Relay State Error. Parsec only allows for logins to initiate from the Parsec login page or from within our app.


Setting up SAML

You will want to first register Parsec on your IDP (Identity Provider) and add these SAML endpoints to it, replacing {teamID} with your Team ID in the Teams admin panel. The full endpoints are also shown in the Teams administration portal, and you can copy and paste from there.

  • ACS:{teamID}

    ACS means Assertion Consumer Service, and is used for establishing a session based on rules made between your IdP and the service provider it is integrating with.

  • Metadata:{teamID}

    Metadata, alternatively referred to as the entityID in some systems, refers to the configuration data for an IDP or an SP. In this case, the Metadata endpoint in Parsec refers to your Parsec Team’s metadata on the Service Provider end.

In addition to these endpoints, you must use the email format for the name ID field in your identity provider when setting up SAML for Parsec to associate your accounts. The next step is to add metadata provided by your IdP into the Teams panel.

Common SAML providers directions are shown below. Remember that Parsec does not need to provide a signing certificate for the integration to work.

Okta Azure AD Google SSO Other

Configure SAML App

  • Visit the Applications section in Okta, and click Add Application
  • Create a new app for Parsec by clicking Create New App


  • In the new window, select SAML 2.0 as the method for sign on and click Create


  • When you get to step 2. Configure SAML, use the ACS and Metadata endpoints provided earlier. Make sure to set the name ID format and Application username to EmailAddress


Configure Default Groups (Optional)

If you are not using SCIM to manage users and groups in Parsec, SAML users will not be assigned to a group in Parsec automatically. However, it is possible to configure default groups by sending additional claims in the SAML response. This will only apply to new users and will not retroactively assign existing users to the default group(s). The group(s) must exist in Parsec and have a matching name, a new group will not be created automatically. If you're using SCIM or don't want to assign people to a group by default you can skip ahead to the next section, this step is optional.

  • Add a new claim using the name DefaultGroups and provide a comma delimited list of group name(s). If there are commas in the group name, surround the name with double quotes ("). The list may be with or without spaces after the separator (,).
    • <group_name>, <group2_name>, "<group3_name, location>", ...
    • <group_name>,<group2_name>,"<group3_name, location>", ...




Upload Metadata To Parsec

Now, you just need to provide some IdP metadata to Parsec. In the SAML setup section at the Teams administration portal, you can either upload a metadata XML file, paste the raw contents of the metadata XML, or enter the IdP metadata manually, which your IdP will provide. The most convenient method for Okta is to just use the metadata XML, demonstrated below.

  • Download the metadata XML from the link below in the settings page of the application you made


  • Go into the SAML section in the Teams administration portal
  • In the "Register IdP with Parsec" section, select XML
  • Click Choose File and select the metadata XML you downloaded
  • Click Parse Metadata


At this point, SAML should be set up. Make sure to assign the users in your IdP. After that, SAML users will join the team and consume a seat after logging in through Parsec for their first time via SAML.


SAML alias, enforcement and session settings

Some additional settings for SAML are in the Teams admin panel's 'Domain & SAML' and 'App Rules' sections. 

Team Alias

Team Alias is available to be changed under the Domain & SAML section. You can choose an alias for your team's SAML authentication to be used instead of your Team ID in order to login. Each member of your team will need to know the alias to log in using SAML. Keep in mind the alias is globally unique, so grab yours before someone else does.


Enforce SAML and session duration

These settings are available to be changed under the App Rules section, in 'Security settings'.


The Enforce SAML setting forces all team members except the owner to use SAML. If you choose to enforce SAML authentication across your team, people who are already on your team will not be able to log in with the password and email combination they may have created previously on Parsec. You should make sure every person on your team has been added to your IdP before enforcing SAML. If you do not do this, people will be locked out of their account.

Once you enforce SAML, you can no longer send team invites through Parsec, instead you must add members of your team directly from within your IdP. A member of your team can only go back to their email/password combination from before using SAML if they leave the team. When you're ready, you can choose to email your entire team immediately upon enforcing SAML across the organization, but before you do this, please choose an alias that is easy to remember.

The Client Session Duration setting lets you dictate how long team members remain authenticated before they have to log in again. As an example, in the image above, users will have to re-authenticate after 7 days of inactivity. If the user has been active, however, the session will auto-refresh for another 7 days until the user has been inactive or Parsec has not been running for 7 days.