Skip to main content

Authentication

To configure authentication for your organization, select the gear icon from the top navigation bar of the Cloud Management Platform (CMP), then select Authentication:

From here, you can configure two aspects of authentication:

  • Single Sign-On: Use your own Single Sign-On (SSO) application
  • Auth provider: Allow user log-ins via Google Workspace, Microsoft Office 365, or both

Single Sign-On

The CMP supports the following SSO application protocols:

  • Security Assertion Markup Language (SAML)
  • OpenID Connect (OIDC)

You can configure the SAML or OIDC protocols from the Single Sign-On screen by selecting the corresponding Configure link.

note

You must configure SAML or OIDC before you can enable SSO with the Enable SSO radio button.

Configure SAML

If your SSO application uses SAML, you must configure your chosen Identity Provider (IdP) with the values displayed in the form field on the Authentication screen. For example:

After selecting Configure, the CMP will present the following form:

To configure the SAML protocol, enter the following information, provided to you by your IdP:

  • Entity ID: Your application's Entity ID (aka Audience URI)
  • SSO URL: Your application's SSO URL (aka the Destination URL)
  • Certificate: Your application's X.509 signing certificate

The CMP will prompt you to confirm the operation when you select the Save button. If you select Confirm, the CMP will automatically enable SSO:

Configure OIDC

If your SSO application uses OIDC, you must configure your chosen Identity Provider (IdP) with the values displayed in the form field on the Authentication screen. For example:

After selecting Configure, the CMP will present the following form:

To configure the SAML protocol, enter the following information, provided to you by your IdP:

  • Client ID: Your application's Client ID
  • Issuer URL: Your application's Issuer URL (aka the metadata Discovery URL)
  • Client secret: Your application's Client Secret

The CMP will prompt you to confirm the operation when you select the Save button. If you select Confirm, the CMP will automatically enable SSO:

Change protocols

If you have configured both SAML and OIDC, you can change the protocol by selecting the corresponding radio button. The CMP will prompt you to confirm the change:

User roles

You can configure CMP user roles via your Identity Provider (IdP) by setting the custom doit_platform_role_id attribute on a user-by-user basis.

If your IdP provides a doit_platform_role_id value for a user, the CMP will assign the corresponding role to that user. For this to work, the value should exactly match the Role ID corresponding to the desired CMP user role.

To find the correct Role ID, navigate to Identity and access screen from the gear icon in the top right-hand corner of the CMP. Then, navigate to the Roles page and select the role you want to assign. From the role details page, select the Copy Role ID button in the top right-hand corner:

note

If your IdP does not provide a value for doit_platform_role_id, the CMP will assign the default role configured for your organization.

Auth provider

By default, we allow users to log in to the CMP via Google Workspace or Microsoft Office 365.

If you would like to restrict authentication providers, select Auth provider from the left-hand menu on the Authentication screen and choose the corresponding option: