Before you begin

Before starting, confirm the following:

• You have access to the necessary permissions and roles within your IdP to complete the setup.
• Your IdP supports SAML 2.0.
• You are an Organization Admin or Owner in Rewind.
• You have reviewed the following article: Overview: SAML single sign-on (SSO) for app.rewind.com

Step 1: Add the role attribute to your IdP

When users sign in with SSO, Rewind relies on a role value sent by your IdP to determine which platforms and accounts they can access within Rewind. You will need to create a custom attribute in your IdP using following guidelines:

• Attribute name: rewind_role
• Type: String
• Value format: Single role or comma-separated roles (e.g.,
  platform:jira:admin,platform:github:read_only)

Refer to your IdP documentation for creating custom attributes and mapping them to SAML assertions.

Step 2: Create the SAML application

In your IdP's admin console, create a new SAML 2.0 application for Rewind using the following SAML configuration values:

Configure your IdP to send these attributes in the SAML assertion. Use these attribute names:

Before moving on to the next step, take a screenshot of your attribute mappings—you'll send this to Rewind.

Refer to your IdP documentation for creating a SAML 2.0 application and configuring service provider settings.

Step 3: Submit your configuration to Rewind

Email the following information to help@rewind.com:

• The Metadata URL (The URL will look similar to: https://yourorg.okta.com/app/abc123/sso/saml/metadata)
• A screenshot of your attribute mappings
• The email domain(s) you want enabled for SSO (for example, yourcompany.com)
• Confirmation that new SSO users should automatically receive organization access. For example: "Yes, I confirm that new SSO users in my IdP should automatically receive organization access to app.rewind.com."
• Your Support PIN from Account Settings > Security (app.rewind.com/settings/edit/security)

Rewind Support will complete the configuration within a few business days.

After Rewind enables SSO

Once Rewind confirms SSO has been enabled for your organization, complete the steps below to assign users to the Rewind SAML application and test your setup.

Step 4: Assign roles to users

Each Rewind user must have a value assigned to the rewind_role attribute in your IdP. Rewind uses the role value sent by your IdP to determine which platforms and accounts that user can access.

Roles follow this format: <scope>:<identifier>:<access_level>

Supported platform values for <platform> include:
jira, confluence, bitbucket, monday, azuredevops, klaviyo, mailchimp, miro, okta, entra, github, quickbooks, bigcommerce, shopify, trello

Further guidance:

• For a breakdown of the permissions granted to each role type in Rewind, see Guide to user roles and permissions in Rewind (role-based access control).
• For details on role conflicts, or for a further overview, see the following section in our overview article: Configuring user access with the rewind_role attribute.
• If you want to limit access to specific accounts, contact us at help@rewind.com — we’ll provide the GUID for each account you want to reference.

Refer to your IdP documentation for assigning attribute values to users.

Step 5: Assign users

Assign access to the users or groups who should sign in using SSO. Only users assigned to the Rewind SAML application will be able to authenticate and access your Rewind organization.

Refer to your IdP documentation for assigning applications to users or groups.

Step 6: Test your configuration

Before rolling out SSO to all users:

1. Open an incognito/private browser window.
2. Go to https://app.rewind.com.
3. Click Sign in with SSO instead.
4. Enter an email address from your SSO domain.
5. Authenticate with your identity provider when redirected.
6. Verify you land in the Rewind dashboard.

Success indicators:

• Your name appears in the top right of the Rewind dashboard.
• You see only the accounts your role permits.

What happens next?

After SSO is fully configured and enabled, users can begin signing in to Rewind using their company credentials. Here’s what to expect going forward.

• Users sign in from https://app.rewind.com by clicking Sign in with SSO instead, entering their company email address, and authenticating via your configuration identity provider.
• On their first SSO sign-in, users whose email address already exists in Rewind will be prompted to verify their Rewind password. This verification step only happens once.
• Rewind supports service provider (SP)–initiated authentication only. Users cannot sign in by clicking the Rewind application or tile in the IdP dashboard. All sign-ins must start from app.rewind.com.
• For faster access, users can bookmark a direct login URL: 
  https://app.rewind.com/auth/cognito?domain={your-domain} 
  Replace {your-domain} with your organization’s email domain (for example, yourcompany.com).

• If you have additional questions about how SSO works in Rewind, see our SSO overview article here.

   

Need help?