Overview
Be My Eyes offers secure, enterprise-grade Single Sign-On (SSO) using SAML 2.0. SSO allows your team to log in to Be My Eyes using your company's existing authentication portal (such as Okta, Azure AD, Auth0, or Ping), making access easier and more secure.
Note: SAML SSO is available exclusively with the Be My Eyes Enterprise plan. To enable this feature, please contact our sales team.
Who Can Use SAML SSO?
SAML SSO is for enterprise organizations that have SAML enabled with Be My Eyes. It is not limited to one client: agents, administrators, and managers typically use the web app at https://app.bemyeyes.com/, and blind and low vision members of the same organization can sign in with SAML through the Be My Eyes desktop app (macOS and Windows) and the Be My Eyes mobile apps (iOS and Android), when those accounts are provisioned for your enterprise IdP like other members.
Everyone who uses SAML must be a user in your Be My Eyes organization and match the email domain (and membership) your IT team configured with your identity provider.
Benefits of SSO
- One-click login using your company credentials
- Centralized user management
- Enhanced security and compliance
How SAML SSO Works
- Your organization's IT team configures Be My Eyes as a trusted application in your Identity Provider (IdP).
- When users log in, they are redirected to your company's login portal, alternatively they can sign in through your company’s portal.
- After successful authentication, users are automatically signed in to Be My Eyes.
Be My Eyes supports both SAML service provider-initiated and identity provider-initiated authentication flows. For instance:
- Service Provider-Initiated Flow: When a user attempts to sign in directly to their Be My Eyes account, we use the user’s email domain to associate and redirect them to the correct identity provider. For instance, if a user with the email joe@examplecorp.com tries to log in, they will be redirected to ExampleCorp’s IdP portal, provided there is a configuration for that domain. Upon successful authentication, the user is automatically redirected back to Be My Eyes and granted access.
- Identity Provider-Initiated Flow: Alternatively, users can gain access to Be My Eyes after signing in through your company’s portal. In this scenario, after the user logs in with their corporate credentials, your portal sends an authentication request to the identity provider. The identity provider then validates the user and sends a response to Be My Eyes via the SAML server, granting the user a session within Be My Eyes.
Step-by-Step Setup Instructions
1. Log in as an Admin
- Go to https://app.bemyeyes.com/ and sign in with your admin account.
2. Open SAML SSO Settings
- Click your profile icon in the top-right corner.
- Select Account Settings from the menu.
- Click Configure SAML SSO.
3. Create a SAML Configuration
- Click Add SAML Configuration.
- Enter a unique name for your configuration (e.g.,
examplecorp).
4. Copy Be My Eyes SAML Details
After creating your configuration, you'll see these values:
-
Assertion Consumer Service (ACS) URL:
- Example:
https://api.bemyeyes.com/auth/saml/examplecorp/acs
- Example:
-
SP Entity ID (Audience):
- Example:
http://bemyeyes.com/examplecorp
- Example:
You will need to enter these values into your Identity Provider's SAML app setup.
5. Enter Your IdP Details in Be My Eyes
In the Be My Eyes SAML setup form, enter the following values from your IdP:
- IdP Entity ID (provided by your IdP)
- IdP SSO URL (login URL from your IdP)
- IdP X.509 Public Certificate (download from your IdP)
6. Save and Test
- Click Save to complete the setup.
- Test SSO by logging out and clicking Sign in with SSO. You should be redirected to your company login portal and, after authenticating, returned to Be My Eyes.
Example SAML Metadata
ou may need to provide your IT team or IdP with Be My Eyes SAML metadata. Here's an example (replace examplecorp with your configuration name):
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://bemyeyes.com/examplecorp">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://api.bemyeyes.com/auth/saml/examplecorp/acs" index="1"/>
<md:AttributeConsumingService index="1">
<md:ServiceName xml:lang="en">Be My Eyes</md:ServiceName>
<md:ServiceDescription xml:lang="en">SAML SSO for Be My Eyes</md:ServiceDescription>
<md:RequestedAttribute Name="email" NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
<md:RequestedAttribute Name="firstName"/>
<md:RequestedAttribute Name="lastName"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Troubleshooting
- Ensure you are using the correct ACS URL and SP Entity ID.
- The IdP certificate must be valid and not expired.
- The user's email domain must existing in your Be My Eyes users lists for your organization in Be My Eyes
Need Help?
If you need assistance, please contact your Be My Eyes account manager or support team.