Set up SSO authentication with SAML and PingIdentity

Go to Sanity Manage and select the organization you want to enable SSO for your organization.

To navigate to the service provider configuration inside Sanity Manage:

1. In the organization you intend to add SSO to, go to Settings → SAML SSO.
2. If no SAML SSO provider exists, click Open SAML SSO configuration and proceed to create and configure a SAML SSO provider.
3. Optional: Download Sanity's SSO details as XML (This will make configuring Ping easier)
4. Disable InResponseTo setting in Sanity
5. Optional: Enable auto update roles on login - This will update the users role when they sign in with SAML

1. In PingIdentity add an app.
2. Select SAML and "Configure"
3. Select import metadata and attach the XML from earlier or manually enter in Sanity's configuration details from the Sanity Manage page. Here are the mappings:
   1. ACS URLS -> Sanity callback URL
   2. Entity ID -> Sanity entity ID

You will need to configure the attributes sent to Sanity from Ping Identity, several are required including: email, firstName, and lastName. these can be found within the SSO setting from the Getting Ready step.

Enterprise customers can map user identity provider roles to service provider roles. For example, users with a Ping Identity example-admin-user-role role are mapped to the Sanity viewer role when they log in.

• To support the mapping functionality, you must configure the identity provider to send the groups of the user.
• Edit/enable role mapping in Sanity
• In Ping Identity, go to the 'Access' Tab

• Select the groups you wish to send to Sanity and click save

• You will need to ensure these are also added to your Attributes within Ping. Ensure that the name is set to `groups`

Now that you have set up everything in Ping, you can now upload your certification and update the configuration on the Sanity side.

1. You can download the configuration and cert from Ping and Upload directly or you can manually enter in the configuration below are the mappings.
   1. Identity Provider Single Sign-On URL -> Single Signon Service
   2. Identity Provider issuer -> Issuer ID

Ensure you save all changes inside Sanity Manage and Ping Identity

• Receiving a 422 error: {"statusCode":422,"error":"Unprocessable Entity","message":"child \"attributes\" fails because [\"value\" must contain at least one of ...
  • There is an issue with your claims. All claims are case sensitive and are required.
• Groups are not being role mapped properly
  • Ensure you are sending the groups attribute and it is mapped to Group Names in your Ping configuration. It will need to be lower case exactly like 'groups'
• When I access Sanity from my IdP dashboard, I receive:
  { "id": "3431pXO", "displayName": "Sanity Support", "email": "sanity@sanity.io", "familyName": "Sanity Support", "givenName": "Sanity", "middleName": null, "imageUrl": null, "provider": "saml-f6a94", "tosAcceptedAt": "2024-11-20T18:51:57.264Z", "createdAt": "2024-11-20T18:51:57.264Z", "updatedAt": "2024-11-20T18:51:57.535Z", "isCurrentUser": true, "providerId": "49jc94jf949930304jkojfciojlj934003490943" }
  • It does not appear you have set up your default relay state within your IdP, you will need to also configure within your Idp settings. You can follow our guide on setting the default relay state.

Sanity Composable Content Cloud is the headless CMS that gives you (and your team) a content backend to drive websites and applications with modern tooling. It offers a real-time editing environment for content creators that’s easy to configure but designed to be customized with JavaScript and React when needed. With the hosted document store, you query content freely and easily integrate with any framework or data source to distribute and enrich content.

Sanity scales from weekend projects to enterprise needs and is used by companies like Puma, AT&T, Burger King, Tata, and Figma.