Single sign-on
Single Sign-On (SSO) is a federated identity management mechanism that allows a user to access multiple applications or services with one set of login credentials.
Overview
The DoiT Console application supports SSO through authentication protocols Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). To integrate the DoiT Console application with identity providers (IdP), you need to:
- Create a SAML or OIDC application at the IdP Side.
- Configure SSO in the DoiT Console.
This page explains the general steps when implementing SSO for the DoiT Console. You can also find IdP-specific instructions on the following pages:
SSO takes precedence over auth provider settings for end-user sign-in. Once SSO is enabled, end users can no longer sign in with a Google account, Microsoft account, or email and password. Admin users can still use other sign-in options.
Get information for your IdP
- Users Manager
The DoiT Console generates information that is required by IdPs to create custom applications.
Log in to the DoiT Console, select the gear icon () from the top navigation bar, and then select Identity & access.
Select Single sign-on from the left-hand menu.
Select Configure (or Edit configuration) in SAML or OIDC according to your authentication protocol.
The DoiT Console populates a generic configuration template under Add the following information to your provider.
If your IdP is Okta or JumpCloud, choose it from the Provider drop-down list for a provider-specific configuration template.
Create your custom application
Follow the instructions of your IdP to create a SAML or OIDC application.
Configure SSO in the DoiT Console
Complete the SSO configuration in the DoiT Console:
In the DoiT Console, select the gear icon () from the top navigation bar, and then select Identity & access.
Select Single sign-on from the left-hand menu.
Select Configure (or Edit configuration) in SAML or OIDC according to your authentication protocol.
Enter the configuration values you received from the IdP when creating your application.
SAML configuration:
- Entity ID: Your application's Entity ID (also known as Audience URI)
- SSO URL: Your application's SSO URL (also known as the Destination URL)
- Certificate: Your application's signing certificate
OIDC configuration:
- Client ID: Your application's Client ID
- Issuer URL: Your application's Issuer URL (also known as the metadata Discovery URL)
- Client secret: Your application's Client Secret
Save the configuration. This will automatically enable SSO. You'll be asked to confirm the action before it's executed.
You can also use the toggle switch to enable or disable SSO. If you have configured both SAML and OIDC, you can switch the active protocol by selecting the corresponding radio button.
Configure user roles
You can configure DoiT Platform user roles via your IdP by setting the custom attribute doit_platform_role_id per user. The value of the attribute must be the role ID of the desired DoiT Platform user role (See Role ID for how to find the role ID in the DoiT Console.)
If your IdP doesn't provide a value for doit_platform_role_id, the DoiT Platform will assign the default role of your organization to new users.
Setting a default role in the DoiT Console doesn't impact existing users, though they might be affected if you explicitly set the default role in your IdP. We suggest that you consult the IdP-specific documentation for more information.
Configure user organizations
You can configure DoiT Platform user organization via your IdP by setting the custom attribute doit_platform_org_id per user. The value of the attribute must be the organization ID of the desired DoiT Platform user organization
If your IdP doesn't provide a value for doit_platform_org_id, no organization will be assigned to the user.
Users are created and updated through the IdP. When you off board users, once they are deactivated in the IdP, they lose access to the DoiT Platform. The DoiT Platform itself doesn't deactivate users.