You need an Identity Provider that supports OpenID Connect (OIDC) federation protocol with implicit flow (we've only experienced issues with Jumpcloud's response modes not matching).
Activating the SSO for your organization is easy and is done in four steps:
1. Fill in the form to request the activation of SSO.
It will create a ticket for our support team that'll be in charge of activating the SSO.
2. Configure an OIDC connection in your Identity Provider.
Please refer to your IdP documentation to do so.
You will need the following information:
- Federation protocol: OpenID Connect (OIDC)
- Grant type: Code flow with PKCE
- Callback URLs: https://auth.cybelangel.com/login/callback (Platform), https://cybelangel.eu.auth0.com/login/callback (Help center)
- Requested scopes: "openid profile email"
3. Send the requested information to our support team
Just reply to the created support ticket with the data required so the support team can activate your connection.
You will need to send us:
- Discovery URL: a public URL that links to your Identity Provider configuration (often containing /.well-known in the address)
- Client ID: generated upon creation of the connection in your Identity Provider
- Client secret: if using the back-channel option, otherwise not needed
- List of domains: the domains that'll be redirected to your Identity Provider for authentication
- Due date: The date you wish the SSO to be activated, if not provided it'll be handled asap.
4. SSO activation
The support team will activate your SSO connection for the CybelAngel platform according to the Due date you provided.
Q. Can I have multiple Identity Providers set for my organization?
A. Yes, you can. You just need to make sure each IdP has no domain in common and make two separate requests to the support using the landing page.
Q. How can I secretly share my client secrets with CybelAngel?
A. You can use any secret sharing solution with self-expiring links, like onetimesecret for example.
Q. I'm using Sign&Go and SSO is not working
A. When using the Sign&Go solution, you must activate JWT tokens and input the signature given by your access provider.