Installation

You can setup this integration as a logged in admin user in the integrations page:
Document Image

Identity Providers

Rootly is compatible with any identity provider supporting SAML 2.0. Depending on the identity provider, you might be asked for the following information during your setup process: ACS URL: https://rootly.com/users/saml/auth
Entity ID: https://rootly.com/users/saml/metadata

Okta

Let’s go to the Applications panel.
Document Image
Search for Rootly.
Document Image
Click on Add.
Document Image
Select SAML 2.0. Now our app is created let’s go back in Applications > Rootly and click View Setup Instructions:
Document Image
Finally copy the fields as shown below into Rootly, this information from Okta is unique to your organization.
Document Image
You are all set!

Google

You will need to access the Google Admin Console: https://admin.google.com/ac/home. Follow screenshot steps as below:
Document Image
Document Image
Document Image
Document Image
Document Image
Make sure Signed Response is checked and the app ON for everyone is checked in your org unit.
Document Image
And finally let’s edit the attributes mapping.
Document Image
Let’s switch to Rootly. You can get the identity login url by clicking on the TEST SAML LOGIN button.
Document Image
Document Image

OneLogin

Browse the Applications Store page and install Rootly.
Document Image
Copy fields over Rootly like shown below
  • Issuer URL -> Identity Provider ID
  • SAML 2.0 endpoint -> Identity Login Url
  • In the certificate section > View Details > X.509 Certificate -> Idp Cert
Document Image
You are all set!

Auth0

Docs: https://marketplace.auth0.com/integrations/rootly-sso-integration

Azure

Install SSO integration through the Azure marketplace

Rippling

Integrate Rippling SSO + SCIM in one click https://www.rippling.com/app-shop/app/rootly
Document Image

Keycloak

Keycloak is an open-source identity and access management solution. Follow these steps to configure SAML SSO with Rootly.

Prerequisites

  • Access to Keycloak admin console
  • Keycloak realm set up (can use default master realm for testing)
  • User account in Keycloak with email attribute configured

Step 1: Create SAML Client in Keycloak

  1. Navigate to Clients in the Keycloak admin console
  2. Click Create Client
  3. Select SAML as the client type
  4. Set Client ID to: https://rootly.com/users/saml/metadata
  5. Click Next and Save

Step 2: Configure Client Settings

Navigate to your client’s Settings tab and configure: Access Settings:
  • Root URL: https://rootly.com/users/saml
  • Home URL: https://rootly.com/users/saml
  • Valid redirect URIs:
    • https://rootly.com/*
    • https://rootly.com/users/saml/auth
  • Master SAML Processing URL: https://rootly.com/users/saml/auth
SAML Capabilities:
  • Name ID format: email
  • Force POST binding: On
  • Include AuthnStatement: On
Signature and Encryption:
  • Sign documents: On
  • Sign assertions: On
  • Signature algorithm: RSA_SHA256
  • SAML signature key name: KEY_ID
  • Canonicalization method: EXCLUSIVE

Step 3: Configure Keys

Navigate to the Keys tab:
  • Client signature required: Off
  • Encrypt assertions: Off

Step 4: Configure Name ID Mapper

  1. Go to Client scopesDedicated scopesMappers
  2. Create or edit the Email mapper:
    • Mapper type: User Attribute Mapper For NameID
    • Name: Email
    • Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    • User Attribute: email

Step 5: Configure User Email

Ensure your test user has an email address set:
  1. Navigate to Users → Select your user
  2. Go to Details tab
  3. Set Email field (e.g., user@company.com)
  4. Set Email verified: Yes

Step 6: Get Keycloak Configuration

Collect the following information from Keycloak:
  1. Identity Provider ID: https://your-keycloak-host/realms/your-realm
  2. Identity Login URL: https://your-keycloak-host/realms/your-realm/protocol/saml
  3. Certificate:
    • Go to Realm SettingsKeysRS256Certificate
    • Copy the certificate and format with proper PEM headers:
    -----BEGIN CERTIFICATE-----
    [certificate content]
    -----END CERTIFICATE-----
    

Step 7: Configure Rootly

In your Rootly SSO integration modal, set:
Rootly FieldKeycloak Value
Identity Provider Idhttps://your-keycloak-host/realms/your-realm
Identity Login Urlhttps://your-keycloak-host/realms/your-realm/protocol/saml
Identity Logout UrlLeave blank or set logout URL
Idp CertPEM-formatted certificate from Keycloak
Domain NameYour domain (e.g. company.com)

Jumpcloud

Let’s begin by navigating to the SSO Applications page from the left navigation.
Document Image
Search for and install the Rootly application.
Document Image
Once installed, select the Rootly application to enter edit mode and navigate to the SSO tab. Update the IdP Entity ID from JumpCloud to JumpCloud-<BusinessName>.
Document Image
Download your IDP Certificate. It should download as a .pem file.
Document Image
Navigate to your Rootly SSO Integration modal and fill in the following fields with the corresponding values from JumpCloud.
Document Image
Rootly FieldJumpCloud Field
Identity Provider IdIdP Entity ID
Identity Login UrlIDP URL
Identity Logout UrlLeave blank or choose any page you’d want to navigate your user to when they log out.
Idp CertOpen the certificate you downloaded in the previous step with a text editor of your choice. Copy and paste the text content.
Domain NameYour domain (e.g. mycompany.com)
Go ahead Enable and Save your SSO setup in Rootly.
Document Image
You’re now SSO enabled! If you want to set up Just-In-Time (JIT) provisioning, navigate to the Identity Management tab in edit mode and set the following fields according to the mappings below.
Document Image
  • API Type: SCIM API
  • SCIM Version: SCIM 2.0
  • Base URL: https://rootly.com/scim
  • Token Key: Pick this value up from your SSO Configuration screen in in Rootly
Document Image
  • Test User Email: You can use your own email as long as the email domain matches the one set in your Rootly SSO configuration page.
Go ahead and select Test Connection. You should see a successful message once a connection is confirmed. If you’d like to provision users by JumpCloud Groups, go ahead and select the following option.This will allow you to provision the users in each JumpCloud Group with a specific Rootly Role.
Document Image
Navigate to your Rootly SSO Integrations modal and map the desired JumpCloud Group to the desired Rootly Role.
Document Image
Go ahead and Save your configuration. You’re all set for JIT user provisioning!

Login Behaviour

If you have SSO enabled, all other login methods such as Google, Slack, Email/Password will automatically redirect users to the SSO method instead.

Misconfiguration

If you set up SSO incorrectly, you may not be able to sign in anymore. In that case please contact support@rootly.com or use the lower right chat widget for live assistance.

Support

If you need help or more information about this integration, please contact support@rootly.com or use the lower right chat widget to get connected with an engineer.