Skip Navigation

Setting up SAML SSO

Here’s a quick guide on how to set up SAML SSO both in your Identity Provider (IdP) and in your Workspace.

Before starting this process, make sure SSO is enabled in Sketch — check there’s an SSO tab in your Workspace Admin panel.

These are the steps you’ll need to follow to set up SAML SSO:

  1. Set up SAML SSO in your Workspace: first, you’ll need to go to your Workspace Settings, where we’ll give you the setup values you’ll need to configure your IdP.
  2. Once you have the values, you’ll need to set up SAML SSO in your IdP — you’ll find the instructions to do so for different IdP providers below.
  3. Lastly, you’ll need to finish setting up SAML SSO in your Workspace.

How to set up SAML SSO in your Workspace

  1. Sign in to your Workspace as an Admin.
  2. Head to the People & Settings tab in the sidebar.
    An image showing the Workspace settings window
  3. Click on the Single Sign-On tab.
  4. Click Choose a short name
    An image showing the button to add a short name
  5. Enter a unique name — it should have less than 16 characters and can only include letters, numbers or hyphens. You can edit this name later on.
    An image showing where to type the teams name
  6. Click Submit.
  7. Click on the first tab Set Up Identity Provider. In this tab, you’ll find the unique Workspace values you’ll need to set up your IdP:
    • EntityID
    • ACS URL
    • Other metadata we support
    An image showing the identity provider tab
  8. Make sure to keep these values at hand! You’ll need them to set up your SAML file in your identity provider. Click Copy next to each value to copy it to your clipboard.

  9. Head to your IdP and configure an application with SAML SSO. Once you are done and have the XML file ready, head to How to finish setting up SAML SSO in your Workspace

Identity Providers setup

For any IdP, listed below or otherwise, the NameID attribute needs to be a static and persistent value which will not change between users sessions - this is the value that is used to identify users. On hosted IdPs, this is usual the case by default. If you are using a self-hosted IdP (e.g KeyCloak) please ensure this is configured correctly.

Google Workspaces setup

  1. Log in to your Google Suite Workspace as an Admin.
  2. Head to the Apps section.
    An image showing the apps section in Google Suite
  3. Click on the Add app menu.
    An image showing the add app menu in Google Workspaces
  4. Click on the Add custom SAML app button to add a new SAML application.
    An image showing how to add a new SAML application in Google Suite
  5. Type Sketch in the Application Name field and upload Sketch’s logo. Click Continue when you’re ready.
    An image showing where to type a name for the application
  6. Download the IdP Metadata .XML file (latest option) — you’ll need it to finish setting up SAML SSO in your Workspace. Click Continue.
    An image showing how to add a new SAML application in Google Suite
  7. Use the EntityID and ACS URL values that you got when setting up SAML SSO in your Workspace. Remember these are unique to your Workspace.

    • You’ll need to place the EntityID value in Audience field.
    • Set the ACS URL value in the ACS URL field.

    The rest of the fields should be filed as the following:

    • Start URL
    • Signed Response: tick the checkbox
    • Name ID: Basic information - Primary Email
    • Name ID Format: UNSPECIFIED

    Note: Make sure that there are no spaces at the end of these fields — otherwise, the SSO process will fail.

    An image showing where to include the service provider details
  8. Click Continue.
  9. Click Add Mapping.
    An image showing how to add a new mapping
  10. Add the following three mappings:
    An image showing three mappings parameters
  11. Click Finish.
  12. Then, click on User Access the SAML app and make sure SAML is enabled for everyone — or for the users and groups that you want.
    An image showing the user access preferences
  13. Make sure the SAML app is enabled for everyone — or for the users and groups that you want.
    An image showing how to change user access preferences
  14. Head to How to finish setting up SAML SSO in your Workspace to finish the SAML SSO process in Sketch.

Azure Active Directory setup

  1. Log in to Azure as an Admin.
  2. Go to the Azure Active Directory and then click on Enterprise applications.
    An image showing where the Azure Active Directory is in the sidebar
    An image showing where the Enterprise application tab is in the sidebar
  3. Click on New application.
    An image showing the new application button
  4. Click on Create your own application.
    An image showing the create your own application button
  5. Type Sketch to name the app and click Create.
    An image showing where to type Sketch
  6. Select Single sign-on in the left side menu.
    An image showing the single sign on tab
  7. Click SAML.
    n image showing the SAML button


  8. Complete the Basic SAML configuration and User Attributes & Claims with the following information from the configuration page in Sketch:

    • Identifier (Entity ID): [Your Workspace’s Entity ID]
    • Reply URL (Assertion Consumer Service URL): [Your Workspace’s ACS URL]

    Note: Make sure that there are no spaces at the end of these fields — otherwise, the SSO process will fail.

    Note: If you are using Safari, you might have trouble typing in the text field. We’d recommend trying another browser.

  9. Download the Federation Metadata XML in the SAML Signing Certificate section — you’ll need it when setting up SAML SSO in Sketch.
    xx
  10. Head to Users and Groups to give access to Sketch to relevant users.
    xx
  11. Head to How to finish setting up SAML SSO in your Workspace to finish the SAML SSO process in Sketch.

OneLogin setup

  1. Log in to your OneLogin Admin account.
  2. Head to Administration in the toolbar and go the Admin panel.
  3. Head to Applications > Applications > Add Apps
    An image showing the applications menu in Onelogin
    An image showing the applications menu in Onelogin
  4. In the search box, type SAML Test Connector (Advanced) and click on the matching search result.
    An image showing where to add the app
  5. Type Sketch in the name field and add a description and Sketch’s logo (optional).
    An image showing where to type Sketch in the name field
  6. Use the EntityID and ACS URL values that you got when setting up SAML SSO in your Workspace. Remember these are unique to your Workspace.

    Place the EntityID value in the Audience (EntityID) field.

    Set the ACS URL value in the following fields:

    • Recipient
    • ACS (Consumer) URL Validator
    • ACS (Consumer) URL

    Note: Make sure that there are no spaces at the end of these fields — otherwise, the SSO process will fail.

  7. Make sure the following fields are filled in as follows:
    An image showing how to fill the fields in Login
  8. Head to the Parameters page. Click on the + icon and add the following fields. Make sure you check Include in SAML assertion for every field.
    An image showing the SAML parameters in OneLogin

    Here’s how adding a field in the Parameters page looks like:

  9. Click the Save button in the top-right corner.
  10. Head to the More Actions menu in the top right corner and select SAML Metadata to export the XML file — you’ll need it when setting up SAML SSO in Sketch.
    An image showing how to export the metadata file in Onelogin
  11. Now head to How to finish setting up SAML SSO in your Workspace to finish the SAML SSO process in your Workspace.

Okta setup

  1. Log in as an Admin.
  2. Head to the Admin Console by clicking Admin in the upper-right corner.
  3. Go to Applications > Applications.
    An image showing three mappings parameters
  4. Click Add Application.
    An image showing three mappings parameters
  5. Click Create New App.
    An image showing three mappings parameters
  6. Select SAML 2.0 and click Next.
    An image showing three mappings parameters
  7. Type Sketch as the App name and add Sketch’s logo as the app logo. Click Next.
  8. Use the EntityID and ACS URL values that you got when setting up SAML SSO in your Workspace. Remember these are unique to your Workspace. Complete the fields as follows:
    • Single sign-on URL: [Your Workspace’s ACS URL]
    • Audience URL (SP Entity ID): [Your Workspace’s EntityID]

    Note: Make sure that there are no spaces at the end of these fields — otherwise, the SSO process will fail.

  9. Enter the following attributes:
    An image showing three mappings parameters
  10. Click Next.
  11. Complete the form as shown in the image.
    An image showing three mappings parameters
  12. Click Finish.
  13. Click on the Identity Provider metadata link to get a metadata.XML file — you’ll need it when setting up SAML SSO in Sketch.
    An image showing three mappings parameters
  14. Head to the Assignments tab and give users or groups access to your Workspace.
    An image showing where the Assignments tab is
    An image showing three mappings parameters
  15. Now head to How to finish setting up SAML SSO in your Workspace to finish the SAML SSO process in Sketch.

TrustLogin setup (only Chrome)

  1. Log in as an Admin in the TrustLogin Admin portal.
  2. Head to Apps on the left sidebar.
    An image showing the apps section in Trustlogin.
  3. Click on Add own SAML app in the right-side corner.
    An image showing what button to click to add your own SAML app.
  4. Type Sketch as the App name and upload Sketch’s logo as the app logo.
    An image showing where to type Sketch and where to upload the logo.
  5. Click on Download metadata to download the metadata.XML file — you’ll need this file when setting up SAML SSO in Sketch.
    An image showing where the download metadata link is.
  6. Use the EntityID and ACS URL values that you got when setting up SAML SSO in your Workspace. Remember these are unique to your Workspace. Complete the rest of the fields with the following information:
    An image showing the information to complete the configuration.
  7. Click Configure and add the following attributes. In the IdP’s Value column you’ll find the values for usernames in TrustLogin.
    An image showing which attributes to add.
  8. Click Register.
  9. Add users to the new app.
  10. Now head to the How to finish setting up SAML SSO in your Workspace to finish the SAML SSO process in Sketch.

Setting up other IdPs

If you can’t find your IdP in the list above, don’t worry! Here’s the information you’ll need to set up SAML SSO in your IdP.

Note: Your IdP might not require all these data entries to set up SAML SSO.

Audience/EntityID: https://sso.sketch.com

Recipient: https://sso.sketch.com/saml/acs

ACS (Consumer) URL Validator: https://sso.sketch.com/saml/acs (Please note some IdPs require the following format: https://sso.sketch.com/saml/acs)

ACS (Consumer) URL: https://sso.sketch.com/saml/acs

You’ll also need to make sure you have the following SAML attributes created: first_name, surname, and email.

You’ll need to include these attributes in the SAML assertions and map them to the relevant information in the IdP.

How to finish setting up SAML SSO in your Workspace

  1. In your Workspace, head to the Set up Sketch tab in the Single Sign-On window.

    You can either upload the XML file directly, or apply any manual configuration.

  2. Log out.
  3. Click Sign in with SSO
  4. Enjoy Sketch! 🎉

Supported Basic Attributes

Note: email and at least one of first_name / surname are required.

These are the Supported Basic Attributes:

  • Variable name: first_name, surname, email
  • External name: first_name, surname, email

Technical Requirements

In order to use SSO you’ll need MacOS 10.15 or later and Sketch 70.2 or later.

IdP Initalised SSO

For security reasons, we don’t allow IdP initiated SSO. Users will need to begin the login process from Sketch.

Change your name/email address in your SSO Workspace

If a user wants to change their name or email address, you’ll need to do so in your IdP.

Inviting others in the SSO Workspace

You can’t invite other users to an SSO Workspace. To access the Workspace, they’ll need to have the Workspace’s short name and use it to log in. If they don’t have an account in the organization’s IdP, they’ll need to speak to their IT department.

Last updated on 25 Aug 2021

Was this article useful?

We’re really sorry about that.
Please let us know what you were looking for:

If you need more help or you’d like to report a bug with this content, please contact support.

Thanks for your feedback.
An error occurred, please try again later.