Enabling SSO for your organization can be configured via the Spotinst Console. The following article will cover the basics of setting up an SSO for your organization.

Supported Identity Providers

We currently support the following identity providers:

Managing SAML-based single sign-on via spotinst console

In order to manage SSO configurations follow these steps:

  1. Login to your Spotinst account as an administrator: spotinst console
  2. Click on the user-icon and enter “Settings”.


3. Click on the “SECURITY” tab at the top and then select “Identity Providers”


SSO Settings Page



Relay state – The Organization ID –  Used as the Relay State configuration for the identity provider (Used in Idp Initiated SSO)

Provider type – Currently the only supported standard is SAML (Security Assertion Markup Language)

Metadata – Data provided by the identity provider in order to sync our settings properly. For further information head to the documentation for your Identity Provider:

User Default Organization Role – The role which will be given to users that logged in via the Identity Provider (Viewer/Editor)

For further information regarding user roles, check the following link: Spotinst – user roles

User Allowed Accounts – The accounts which the user will have access to (default account/all account)

For further information regarding accounts, check the following link: Organizations and accounts

Organization and Role Selection

When you want to determine different user roles per account, we allow you choosing the organization and role he wants to sign in with when signing in with SSO.

Configure the IDP to create a SAML response with the parameter “OrgAndRole”.
This configuration will generate another screen which will let the user choose an organization and role:



The Organization and Roll combination should be configured for each user, using the following IDP format:

<Attribute Name=”OrgAndRole” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:basic>

Advanced – Overriding Role and Organization attributes via SAML Attribute

Saml Response Called “OrgAndRole” (ignore case).The parameter allows setting the organization id dynamically on each request and not as a RelayState once. Parameter Value is in the Format: Spotinst-<orgid>-<role>.

This attribute will allow login into different organizations with the same user and the same IDP app, while setting the organization id dynamically.

  • If OrgAndRole exists we override the RelayState and the Role (if Role provided as a different attribute).
  • OrgAndRole attribute and attribute value are case sensitive.
  • If a user logged in through SSO with a Role attribute, the role of that user will be set accordingly, which means that these settings will affect both existing users and new users. i.e – an xml attribute:

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ADMIN

Supported Role attributes:

ADMIN – Equivalent to Account Editor

VIEWER – Account viewer

NO_ACCESS – No access to Spotinst console

Note: In this case, we’re providing an Account Admin role- meaning an account Editor, This is not an Organization Admin.