Skip Navigation

Setting up SAML SSO

Here’s a quick guide on how to set up SAML SSO both in your IdP and in your Workspace.

Before starting this process, make sure SSO is enabled in Sketch — check there’s an SSO tab in your Workspace admin panel.

You’ll first need to configure SMAL SSO in your IdP — you’ll find the instructions to do so for different IdP providers below. Once that’s done, you’ll need to set up SAML SSO in your Workspace.

Note: For any IdP, listed below or otherwise, the NameID attribute needs to be a static and persistent value which will not change between users sessions - this is the value that is used to identify users. On hosted IdPs, this is usual the case by default, if you are using a self-hosted IdP (e.g KeyCloak) please ensure this is configured correctly.

OneLogin set-up

  1. Log in to your OneLogin Admin account.
  2. Head to Administration in the toolbar and go the Admin panel.
  3. Head to Applications > Applications > Add Apps
    An image showing the applications menu in Onelogin
    An image showing the applications menu in Onelogin


  4. In the search box, type SAML Test Connector (Advanced) and click on the matching search result.
    An image showing where to add the app


  5. Type Sketch in the name field and add a description and Sketch’s logo (optional).
    An image showing where to type Sketch in the name field


  6. Head to the Configuration page and fill in the following fields:

    • Audience (EntityID): https://sso.sketch.com
    • Recipient: https://sso.sketch.com/saml/acs
    • ACS (Consumer) URL Validator: https://sso.sketch.com/saml/acs
    • ACS (Consumer) URL: https://sso.sketch.com/saml/acs Important: Make sure that there are no spaces at the end of these fields — otherwise, the SSO process will fail.
  7. Make sure the following fields are filled in as follows:
    An image showing how to fill the fields in Login


  8. Head to the Parameters page and add the following fields. Make sure that Include in SAML assertion is checked for every field.
    An image showing the SAML parameters in OneLogin
    An image showing how to tick the include SAML assertion box


  9. Click Save.
  10. Head to the More Actions menu in the top right corner and select SAML Metadata to export the XML file —you’ll need it when setting up SAML SSO in Sketch.
    An image showing how to export the metadata file in Onelogin


  11. Now head to the How to set up SAML SSO in your Workspace to finish the SAML SSO process in your Workspace.

Google Workspaces set-up

  1. Log in to your Google Suite Workspace with an Admin account.
  2. Head to the Apps section.
    An image showing the apps section in Google Suite


  3. Click on the Add app menu.
    An image showing the add app menu in Google Workspaces


  4. Click on the Add custom SAML app button to add a new SAML application.
    An image showing how to add a new SAML application in Google Suite


  5. Type Sketch in the Application Name field and upload Sketch’s logo. Click Continue when you’re ready.
    An image showing where to type a name for the application


  6. Download the IdP Metadata .XML file (latest option) — you’ll need it when setting up SAML SSO in your Workspace. Click Continue.
    An image showing how to add a new SAML application in Google Suite


  7. Type the following information for each field:

    • ACS URL: https://sso.sketch.com/saml/acs
    • Entity ID: https://sso.sketch.com
    • Start URL:
    • Tick the checkbox: Signed Response
    • Name ID: Basic info - Primary Email
    • Name ID Format: UNSPECIFIED

      Important: Make sure that there are no spaces at the end of these fields — otherwise, the SSO process will fail.

      An image showing where to include the service provider details


  8. Click Continue.
  9. Click Add Mapping.
    An image showing how to add a new mapping
  10. Add the following three mappings:
    An image showing three mappings parameters


  11. Click Finish.
  12. Then, click on User Access the SAML app is enabled for everyone — or for the users and groups that you want.
    An image showing the user access preferences


  13. Make sure the SAML app is enabled for everyone — or for the users and groups that you want.
    An image showing how to change user access preferences


  14. Head to How to set up SAML SSO in your Workspace to finish the SAML SSO process in Sketch.

Okta set-up

  1. Log in as an Admin.
  2. Head to the Admin Console by clicking Admin in the upper-right corner.
  3. Go to Applications > Applications.
    An image showing three mappings parameters


  4. Click Add Application.
    An image showing three mappings parameters


  5. Click Create New App.
    An image showing three mappings parameters


  6. Select SAML 2.0 and click Next.
    An image showing three mappings parameters


  7. Type Sketch as the App name and add Sketch’s logo as the app logo. Click Next.
  8. Complete the SAML settings with the following information:

    • Single sign on URL: https://sso.sketch.com/saml/acs
    • Audience URL (SP Entity ID): https://sso.sketch.com
      An image showing three mappings parameters

      Important: Make sure there are no spaces at the end of each field — otherwise, the SSO process will fail.

  9. Enter the following attributes:
    An image showing three mappings parameters


  10. Click Next.
  11. Complete the form as shown in the image.
    An image showing three mappings parameters


  12. Click Finish.
  13. Click on the Identity Provider metadata link to get a metadata.XML file — you’ll need it when setting up SAML SSO in Sketch.
    An image showing three mappings parameters


  14. Head to the Assignments tab and give users or groups access to your Workspace.
    An image showing where the Assignments tab is


    An image showing three mappings parameters


  15. Now head to How to set up SAML SSO in your Workspace to finish the SAML SSO process in Sketch.

Azure Active Directory set-up

  1. Log in to Azure as an Admin.
  2. Go to the Azure Active Directory and then click on Enterprise applications.
    An image showing where the Azure Active Directory is in the sidebar
    An image showing where the Enterprise application tab is in the sidebar


  3. Click on New application.
    An image showing the new application button


  4. Click on Create your own application.
    An image showing the create your own application button


  5. Type Sketch to name the app and click Create.
    An image showing where to type Sketch


  6. Select Single sign-on in the left side menu.
    An image showing the single sign on tab


  7. Click SAML.
    n image showing the SAML button


  8. Complete the Basic SAML configuration and User Attributes & Claims with the following information:

    • Identifier (Entity ID): https://sso.sketch.com
    • Reply URL (Assertion Consumer Service URL): https://sso.sketch.com/saml/acs
      xx

      Important: Make sure there are no spaces at the end of each field — otherwise, the SSO process will fail.

      Note: If you are using Safari, you might have trouble typing in the text field. We’d recommend trying another browser.

  9. Download the Federation Metadata XML in the SAML Signing Certificate section — you’ll need it when setting up SAML SSO in Sketch.
    xx


  10. Head to Users and Groups to give access to Sketch to relevant users.
    xx


  11. Go to How to set up SAML SSO in your your Workspace to finish the SAML SSO process in Sketch.

TrustLogin set-up (only Chrome)

  1. Log in as an Admin in the TrustLogin Admin portal.
  2. Head to Apps on the left sidebar.
    An image showing the apps section in Trustlogin.


  3. Click on Add own SAML app in the right-side corner.
    An image showing what button to click to add your own SAML app.


  4. Type Sketch as the App name and upload Sketch’s logo as the app logo.
    An image showing where to type Sketch and where to upload the logo.


  5. Click on Download metadata to download the metadata.XML file — you’ll need this file when setting up SAML SSO in Sketch.
    An image showing where the download metadata link is.


  6. Complete the configuration using the following information:
    An image showing the information to complete the configuration.


  7. Click Configure and add the following attributes. In the IdP’s Value column you’ll find the values for usernames in TrustLogin.
    An image showing which attributes to add.


  8. Click Register.
  9. Add users to the new app.
  10. Now head to the How to set up SAML SSO in your your Workspace to finish the SAML SSO process in Sketch.

Setting up other IdPs

If you can’t find your IdP in the list above, don’t worry! Here’s the information you’ll need to set up SAML SSO in your IdP.

Note: Your IdP might not require all these data entries to set up SAML SSO.

Audience/EntityID: https://sso.sketch.com

Recipient: https://sso.sketch.com/saml/acs

ACS (Consumer) URL Validator: https://sso.sketch.com/saml/acs (Please note some IdPs require the following format: https://sso.sketch.com/saml/acs)

ACS (Consumer) URL: https://sso.sketch.com/saml/acs

You’ll also need to make sure you have the following SAML attributes created: first_name, surname, and email.

You’ll need to include these attributes in the SAML assertions and map them to the relevant information in the IdP.

How to set up SAML SSO in your Workspace

  1. Sign in to your Workspace as an admin.
  2. Head to Workspace Settings.
    An image showing the Workspace settings window


  3. Click on the Single Sign-On tab.
    An image showing the SSO tab


  4. Click Choose a short name and enter a unique name — it should have less than 16 characters and can only include letters, numbers or hyphens.
    An image showing the button to add a short name


    An image showing where to type the teams name


  5. Click Apply.
  6. Click Browse File and select the metadata .XML file that you downloaded from your IdP before.
    An image showing how to upload the xml file


  7. Log out.
  8. Click Sign in with SSO.
    An image showing the sign with SSO button in the Mac app login window


  9. In the name text field, type the same name you chose in step 3 and click Continue.
    An image showing where to type the name chosen in step four


  10. Sign in to your IdP.
  11. Enjoy Sketch! 🎉

Supported Basic Attributes

Note: email and at least one of first_name / surname are required.

These are the Supported Basic Attributes:

  • Variable name: first_name, surname, email
  • External name: first_name, surname, email

Technical Requirements

In order to use SSO you’ll need MacOS 10.15 or later and Sketch 70.2 or later.

IdP Initalised SSO

For security reasons, we don’t allow IdP initiated SSO. Users will need to begin the login process from Sketch.

Change your name/email address in your SSO Workspace

If a user wants to change their name or email address, you’ll need to do so in your IdP.

Inviting others in the SSO Workspace

You can’t invite other users to an SSO Workspace. To access the Workspace, they’ll need to have the Workspace’s short name and use it to log in. If they don’t have an account in the organization’s IdP, they’ll need to speak to their IT department.

Last updated on 05 May 2021

Was this article useful?

We’re really sorry about that.
Please let us know what you were looking for:

If you need more help or you’d like to report a bug with this content, please contact support.

Thanks for your feedback.
An error occurred, please try again later.