Step 1: Add Overleaf to your Identity Provider
Last updated
Was this helpful?
Last updated
Was this helpful?
For your Identity Provider (IdP) to recognize Overleaf as a trusted service, you must set up Overleaf as a Service Provider (SP). This involves taking information from Overleaf’s SAML metadata and providing it as part of a service definition within your IdP.
In some IdPs, this process is referred to as adding an application or configuring a resource. Whether this is called adding or configuring a service provider, application, or resource, the process involves taking Overleaf’s metadata and providing it to your IdP by uploading it or pasting it into provided fields.
This requires you to log in to your IdP and update its configuration. If you do not have access to your IdP, you will likely have to work with a member of your IT Services team to complete this step.
If your IT team requires some information about security and privacy, please note that Overleaf, as part of Digital Science & Research Solutions Limited, is certified in compliance with ISO/IEC 27001:2013 (Information Security Management System). Please see our Security Overview and Privacy Notice, and if more information is needed, please contact us.
To complete this step, you'll need to provide information about Overleaf to your Identity provider. This usually involves creating an application in your system for Overleaf, and uploading or copying some of the data from Overleaf’s SAML metadata file.
Some IdPs allow you to complete a part of the service provider configuration by uploading an XML file that contains the SAML metadata, or by providing a URL to the metadata file. If those options are available, you can provide the XML file provided at this URL: https://www.overleaf.com/saml/group-sso/meta. You can also download the Overleaf Group Professional metadata from your Group subscription settings.
Note that the Overleaf metadata used to set up SSO for your team is not the same metadata that is published for higher-education consumers in UKAMF, Edugain, and other federations. Please be sure to use the metadata described here, and not metadata obtained from these federated sources.
Overleaf supports a Service Provider initiated SSO login process. Some IdPs allow you to configure an Identity Provider initiated login process. This isn't supported for logging in to Overleaf.
The following data from the Overleaf SAML metadata can also be directly added to the Overleaf service definition in your IdP.
entityID
This value is found in the entityID attribute of the EntityDescriptor element in the Overleaf group SAML metadata file
The entityID is a unique identifier for the Overleaf Group SSO service.
Some IdPs refer to this as the Audience URI, the Service Provider Issuer, the Audience Restriction, or the Relying Party Trust Identifier.
SAML signing certificate or X509 Certificate
This value is the X509Certificate element in the Overleaf group SAML metadata file.
Your (IdP) uses the Overleaf SAML signing certificate to verify the signature sent by Overleaf within its SAML authentication request.
This is sometimes referred to as the Signature Certificate, or Verification Certificate.
Assertion Consumer Service (ACS) endpoint
https://www.overleaf.com/saml/group-sso/callback
This value is the Location attribute of the AssertionConsumerService element in the Overleaf group SAML metadata file.
This is the endpoint that your IdP will post SAML responses to.
This URL is also known as the Single sign-on URL, the destination, recipient, callback URL, reply URL, or SAML Assertion Endpoint.
Other information about Overleaf that your IdP may request can include optional configuration of IDP-initiated logins and single log out. These are not currently supported.
You will need to send some data to Overleaf when users are authenticated. In some cases, your IdP may have existing attribute release policies or may offer the option to release all claims. Overleaf only requires a minimal set of data to be released.
unique identifier
Overleaf only requires one attribute: a unique, persistent, and non-reassignable identifier. We recommend a non-email unique identifier, as emails are not always persistent and often change when a user’s first or last name changes. A unique identifier (system id) that is formatted as an email is acceptable if it is unique, persistent, and non-reassignable.
This unique identifier is used by Overleaf to look up each user’s Overleaf account when they log in. In some cases, this is a UUID or System ID. End users will not see this Unique Identifier—it is used behind the scenes during the login process. When using Overleaf, users will identify their accounts using the primary email address that they register with Overleaf, but when logging in with SSO, it is actually the Unique Identifier that is used by the system to identify them.
The unique identifier can be released as the NameID or can be released under any attribute name.
Make a note of the attribute name for the unique identifier claim that is being released. You will need to provide this name to Overleaf in Step 2.
first and last name attributes
The optional first and last name attributes will be used by Overleaf to fill in the Account Settings of users who register for Overleaf accounts by signing in through SSO.
Make a note of the attribute names for the first and last name claims that are being released.
You must authorize access to the Overleaf service for at least one user that will be used to test the SSO trust relationship and attribute release.
You can choose to authorize all your team members at this point, or this can be done later. Users who are authorized to access Overleaf through Group SSO must also be invited to the group subscription on the Overleaf side.
The test user does not need to be invited to the Overleaf group subscription. Any valid user account in your IdP can be used to test the SSO setup in Overleaf. No data will be saved for this test account, and no Overleaf account will be created for the test user during the testing phase.
You will need to provide metadata from your IdP to Overleaf in Step 2. Some IdPs generate specific metadata for each Service Provider, while some use common endpoints and certificates for all Service Providers.
In many cases IdP SAML metadata is provided in the form of an XML file. Overleaf will require the single sign-on service HTTP Redirect location and the signing certificate used by your IdP for Overleaf in Step 2.
