What is SSO ?
Single Sign-On (SSO) allows to connect through an Identity Provider (IdP) to a service.
It is a secure solution to connect to the CybelAngel Platform using a single set of credentials managed at your company's level.
To communicate between the web-service and the Identity Provider, a federation protocol shall be used. CybelAngel currently supports the OpenID Connect (OIDC) protocol.
Impacts of activating the SSO
At an admin level
Current users, roles and permissions will remain unchanged.
Invitation of new users is still necessary and unchanged.
At a user level
Users will be concerned by the authentication with your IdP if the domain in their email has been set to be in the domain list.
All those users will:
- be redirected to your IdP for authentication;
- have the platform password connection disabled;
- have MFA (on CybelAngel end) disabled.
New users won't have to create a password on the CybelAngel platform and will receive a welcome email with a link to connect to the CybelAngel platform.
Activate SSO
SSO will be rolled out to customers progressively, if you want to activate this feature please contact your Customer Success Manager.
Prerequisites
You need an Identity Provider that supports OpenID Connect (OIDC) federation protocol with implicit flow (we've only experienced issue with Jumpcloud's response modes not matching).
Process
Activating the SSO for your organization is easy and is done in three steps:
1. Fill in the form to request the activation of SSO .
This step will start your journey toward an active SSO, it'll:
- inform your Customer Success Manager about your request so he can help you,
- create a ticket for our support team that'll be in charge of activating the SSO,
- send you an email with the detailed steps to activate SSO.
2. Configure an OIDC connection in your Identity Provider.
Please refer to your IdP documentation to do so.
3. Send the requested information to our support team
Just reply to the created support ticket with the template filled with the data required so the support team can activate your connection.
Exchanged data
You'll need...
- Federation protocol: OpenID Connect (OIDC)
- Grant type: Code flow with PKCE
- Callback URL: https://auth.cybelangel.com/login/callback
- Requested scopes: "openid profile email"
We'll need...
- Discovery URL: a public URL that links to your Identity Provider configuration (often containing /.well-known in the address)
- Client ID: generated upon creation of the connection in your Identity Provider
- Client secret: if using the back-channel option, otherwise not needed
- List of domains: the domains that'll be redirected to your Identity Provider for authentication
FAQ
Q. Can I have multiple Identity Providers set for my organization?
A. Yes, you can. You just need to make sure each IdP has no domain in common and make two separate requests to the support using the landing page.
Comments
0 comments
Article is closed for comments.