Details

In the Details tab, you'll see all the general information about your organization. This includes:

• Organization Name - The name given to the organization.
• Organization Owner - The email of the Organization Owner.
• Creation Date - When the organization was created.
• Expiration Date - When the organization’s contract will expire.
• Active Members - The number of active members in your organization, and how many you can still invite. Pending members aren’t shown here, but they do count toward the overall limit. You can remove the pending users to make more room if needed.
• Used Items - The amount of used items in your organization and how many more you can upload, create or generate. Deleted items still count toward this limit.

Security

In the Security tab, you can enable or disable the Single sign-on (SSO), which allows users to access multiple corporate applications, websites, and data for which they have permission with a single set of login credentials.

SuperAnnotate supports SAML 2.0 and OIDC single sign-on with the following identity providers: Azure AD, Okta, Ping Identity, and more.

This feature is available for Enterprise users.

📘

Please note that only organization owners have permission to set up SSO for your organization, and that SuperAnnotate supports only SP initiated single sign-on.

You can enable single-sign on (SSO) for your organization from the Security tab in Organization Settings. In the SSO form, under SSO Protocol, you can select SAML 2.0 or OIDC to configure it accordingly.

Enable SAML single sign-on (SSO)

If your identity provider is Azure, check out Azure's documentation to find more details on how to create an Azure SSO integration with SuperAnnotate.

Step 1: Configure SAML in your identity provider

1. Log in to your identity provider account and navigate to your applications.
2. Create a new application for SuperAnnotate.
3. Enter the information below in the corresponding fields for the SuperAnnotate application in your identity provider. You can find the valid values on the SSO setup page in SuperAnnotate.
   1. Identifier (SP Entity ID or Audience URI)
   2. Reply URL (Assertion Consumer Service URL or Single Sign On URL)
4. In the Sign on URL textbox, type the following URL: https://auth.superannotate.com/login (optional)
5. Additionally, you can download the SuperAnnotate logo from this link and upload it.

Step 2: Add attributes in your identity provider

These are the attributes required by SuperAnnotate, as listed in the security section of your organization settings. Copy the values corresponding to each attribute below and add them to your identity provider:

• First name / Given name
  Given name attribute

  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

• Last name / Surname
  Surname attribute

  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

• Email address
  Email address attribute

  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

🚧

The users won’t be able to sign in if one of the attributes is missing.

Step 3: Assign a user to SuperAnnotate

Assign a user to SuperAnnotate in your identity provider. This allows you to complete the SAML setup process and test the application.

Step 4: Configure SAML SSO in SuperAnnotate

To complete the SAML SSO setup, you need to provide the metadata information from the application in your identity provider in the SSO setup page in SuperAnnotate by choosing one of the following options:

• Option 1: Enter the metadata URL
• Option 2: Upload metadata XML

Step 5: Enable single sign-on (SSO)

When you’re done, click Enable.

Enable OIDC SSO

Step 1: Configure OIDC in your identity provider

To enable OIDC SSO, configure your identity provider (IdP) using the values provided by SuperAnnotate.

1. Log in to your identity provider account and navigate to your applications.
2. Create a new application for SuperAnnotate.
3. Enter the copied Redirect URI in the corresponding field for the SuperAnnotate application in your identity provider

Step 2: Add attributes in your identity provider

SuperAnnotate requires the following OpenID Connect attributes from your identity provider. If the attribute names are different, then please copy the corresponding values to each attribute from your identity provider and enter them in the fields below:

• Email address / email
• First name / given_name
• Surname / family_name

If the attribute names are the same as in the fields, leave them unchanged.

Step 3: Assign a user to SuperAnnotate

Assign a user to SuperAnnotate in your identity provider. This allows you to complete the OIDC setup process and test the application.

Step 4: Configure OIDC SSO in SuperAnnotate

Please enter the information for the following fields in the SSO setup page in SuperAnnotate from the application in your identity provider:

• Client ID - the unique client ID for the application from your IdP.
• Client secret - the client secret generated in your IdP for the application.

Under Configuration method, you must enter the Issuer URL to automatically retrieve all required endpoints.

🚧

Incorrect values

Please be sure that the client ID and secret are correct. If they aren’t, the authentication will fail on the IdP’s side and users will encounter an error during login.

Step 5: Enable single sign-on (SSO)

When you’re done, click Enable.

Enforcing or Disabling SSO login requirements

🚧

Enforcing the SSO login requirement

• Users invited to an Organization that enforces SSO login must sign up or sign in using that Organization’s identifier. When logging in this way with an Organization’s identifier, users will only be able to access:
  • the SSO-enforced organization
  • any other organizations that do not require SSO
• Users that are already signed in will remain so, but they’ll lose access to the SSO-enforced organization if they’ve logged in with anything other than SSO.
• To accept the invitation from an SSO-enforced organization and regain access to it, a signed-in user should sign out, then follow the invitation link using the SSO-enforced organization’s identifier. Otherwise, the user will receive an error when following the invitation and won’t be able to access this organization.
• If a user is invited to an SSO-enforced organization, they still can sign up using any method and will be successfully registered. However, they’ll remain a pending user in that organization and won’t have access to it until they sign out, follow the invitation link again, and sign up again using the organization’s identifier.
• When SSO is required, SDK tokens under the Organization aren’t affected. SDK calls are still made on behalf of the Team Owner or Organization Owner.

🚧

Disabling the SSO login requirement

• Existing users within the Organization that are currently logged in will be able to continue using the platform until they log out or the session expires.
• Once a user logs out, they’ll be able to use any login method available to them (including SSO). This way, they’ll be able to access any Organization that doesn’t enforce SSO login.

Sign in / Sign up with SSO

After the SSO is enabled for your company, your organization members that are newly invited to SuperAnnotate should take the following steps:

1. Check their inbox and follow the SuperAnnotate invitation link.
2. Select Sign up with SSO.
3. Enter your company identifier.
4. Click Sign up.

Members that have already signed up will stay signed in after the SSO is enabled. To sign in, they’ll have to click Sign in with SSO and use your company’s identifier.

If a user is trying to log in using the Sign in with SSO option, and the required attributes information isn't configured in their identity provider, they'll receive the following error message:Oh no! The response from your identity provider (IdP) is missing some required attributes. Please contact your IT department or an Organization Admin.