Contact Us

Best Practices for SAML Single Sign-On (SSO) in EA SaaS

The aim is to ensure an optimal experience for all EA SaaS users with minimal hassle. This article focuses on demonstrating how an admin can seamlessly manage users and their interactions within the EA model repository. By leveraging predefined groups in the EA model and simplified access control Profiles in the EA SaaS Portal, assigning varying Permissions and Restrictions to different user groups can be effortlessly achieved.


  • An Admin User Account has to log into the Prolaborate Portal.
  • Create an Access Control Profile with a user group where SAML Single Sign-On (SSO) users can directly get assigned to those groups from the SAML groups.

What we cover below

  1. How to Create a User Group in Azure SAML and Prolaborate & EA Saas Portal to reuse the group for SAML configuration.
  2. How to set Permission and Restriction for SAML users in EA model.
  3. How to configure Access Control Profile for SAML users.

EA SaaS Flow

how to configure SAML SSO in the EA SaaS portal

Create User Groups in Prolaborate Portal

Create a general group for each team.

To create a group, click on Menu > User Group Management.

user group management system in ea saas portal

And “Click > Create User Group” as shown in the image below.

User group management in ea saas
How to create a user group
User Group NameEnter the name of the user group.
Select Users Assign the users to the respective group.
Repositories AccessProvide repository access based on your group
Select ProductsChoose the specific products

After entering the above details, click on “Save” to create the user group.

Access Control Profiles

When a SSO user logs in for the first time, they are automatically registered to Prolaborate & EA SaaS Portal. Configure the User groups in Access Control profiles by following these steps.  

Click on Menu > Access Control Profile 

Click on Create Profile.

Role based access control

Name the profile and define the groups, then click the save icon to retain the Access Control Profile. For more information about Access Control Profiles, click here.

centralized access control

SAML Settings

1. Configure the Service Provider and Identity Provider Configuration on the SAML settings page. For more details on the SAML Single Sign-On Configuration, click on the link here.

2. Once the SAML group-based Restriction gets enabled, you can choose the Access Control profile that is created as mentioned above and fill in the Name of the SAML group name that was assigned in the SAML IDP portal as shown below.

how to map access control profiles with saml groups

3. This configuration ensures that users belonging to the specified SAML group will be automatically granted access to Prolaborate and EA SaaS based on the Access profile you established in the SAML settings.

4. Click “Save” icon after the Configurations.

Setup Group in EA with Permissions and Restrictions on EA SaaS

Assign the right permissions to each group for each EA model repository. 

configuring security groups in enterprise architect

For more information about permission and restriction please refer to the below links,

To learn about the access permissions within the EA group, please click here.

To explore information on the restriction within the EA group, please click here.


The value entered for ‘Open ID Group’ should be the same as the group name of the group created in the previous step in the EA SaaS Portal.

Click “Save” after the configuration.


Once the configuration is done and SSO is enabled, users will start to see a new button on the authentication portal called ‘Login with SSO’ and they can click on it to login with their SSO credentials.

Login with SSO

Upon selecting the SSO login option, the landing page will be displayed, featuring EA SaaS and Prolaborate, provided that the SSO user is assigned to both Prolaborate and EA SaaS.

Multi tenant Prolaborate and EA SaaS Portal page

Clicking ‘Open Project in Prolaborate’ will launch Prolaborate based on the access permissions configured for SSO, displaying the model according to the user’s access permissions.

Prolaborate repositories page

Similarly, choosing “Open Repository in Sparx Enterprise Architect” will open Enterprise Architect with a Pinned model connection. By clicking on the model and selecting “OpenID login,” the model will be accessible based on the group restrictions assigned to the user.

EA SaaS start page

Leave a Reply

Your email address will not be published. Required fields are marked *