What is SSO ?
Single Sign-On (SSO) allows to connect through an Identity Provider (IdP) to a service.
It is a secure solution to connect to the CybelAngel Platform using a single set of credentials managed at your company's level.
To communicate between the web-service and the Identity Provider, a federation protocol shall be used. CybelAngel currently supports the OpenID Connect (OIDC) protocol.
Impacts of activating the SSO
At an admin level
Current users, roles and permissions will remain unchanged.
Invitation of new users is still necessary and unchanged.
At a user level
Users will be concerned by the authentication with your IdP if the domain in their email has been set to be in the domain list.
All those users will:
- be redirected to your IdP for authentication;
- have the platform password connection disabled;
- have MFA (on CybelAngel end) disabled.
New users won't have to create a password on the CybelAngel platform and will receive a welcome email with a link to connect to the CybelAngel platform.
SSO will be rolled out to customers progressively, if you want to activate this feature please contact your Customer Success Manager.
You need an Identity Provider that supports OpenID Connect (OIDC) federation protocol with implicit flow (we've only experienced issue with Jumpcloud's response modes not matching).
Activating the SSO for your organization is easy and is done in three steps:
1. Fill in the form to request the activation of SSO .
This step will start your journey toward an active SSO, it'll:
- inform your Customer Success Manager about your request so he can help you,
- create a ticket for our support team that'll be in charge of activating the SSO,
- send you an email with the detailed steps to activate SSO.
2. Configure an OIDC connection in your Identity Provider.
Please refer to your IdP documentation to do so.
3. Send the requested information to our support team
Just reply to the created support ticket with the template filled with the data required so the support team can activate your connection.
- Federation protocol: OpenID Connect (OIDC)
- Grant type: Code flow with PKCE
- Callback URLs: https://auth.cybelangel.com/login/callback (Platform), https://cybelangel.eu.auth0.com/login/callback (Help center)
- Requested scopes: "openid profile email"
- Discovery URL: a public URL that links to your Identity Provider configuration (often containing /.well-known in the address)
- Client ID: generated upon creation of the connection in your Identity Provider
- Client secret: if using the back-channel option, otherwise not needed
- List of domains: the domains that'll be redirected to your Identity Provider for authentication
Q. Can I have multiple Identity Providers set for my organization?
A. Yes, you can. You just need to make sure each IdP has no domain in common and make two separate requests to the support using the landing page.
Q. How can I secretly share my client secrets with CybelAngel?
A. You can use any secret sharing solution with self-expiring links, like onetimesecret for example.
Q. I'm using Sign&Go and SSO is not working
A. When using the Sign&Go solution, you must activate JWT tokens and input the signature given by your access provider.
Q. Can you provide an example of configuration with Okta?