Single sign-on

Caution

SSO takes precedence over auth provider settings. Once SSO is enabled, users are no longer able to sign in with Google account, Microsoft account, or email and password.

The DoiT Platform supports both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) as single sign-on (SSO) protocols.

Note

Required Permission: Authentication Manager

Set up your IdP

Before configuring SSO in the DoiT Console, you need to create a SAML or OIDC application with a third-party Identity Provider (IdP). Follow the IdP-specific documentation when creating your application.

See also

• Okta:

  • Create SAML app integrations using AIW
  • Create OIDC app integrations using AIW

• Microsoft:

  • Enable single sign-on for an enterprise application
  • OpenID Connect authentication with Azure Active Directory

• Google:

  • Google Workspace: Set up your own custom SAML application

• Okta: What's the Difference Between OAuth, OpenID Connect, and SAML?

If you're creating SAML app integrations in Okta, provide the following information to the SAML settings:

• Default RelayState: https://app.doit.com/customers. This is the landing page when a user successfully signed in to the DoiT Console.

• Name ID format: EmailAddress. This is the username format in the SAML Response.

• Application username: Email. This is the default username with the application.

Configure SSO in DoiT Console

Depending on the protocol supported by your application, select Configure (or Edit configuration) using SAML or OIDC.

You do not need to enable SSO to configure the protocols.

If you have configured both the SAML and OIDC protocols, you can switch the active protocol by selecting the corresponding radio button.

Configure using SAML

1. Enter the configuration values you received from the IdP when creating your SAML application:

   • Entity ID: Your application's Entity ID (also known as Audience URI)

     Tip

     For SAML authentication with Azure Active Directory, the Entity ID is the Azure AD Identifier value from the Azure portal. See also Tutorial: Azure AD SSO integration with Azure AD SAML Toolkit.

   • SSO URL: Your application's SSO URL (also known as the Destination URL)

   • Certificate: Your application's X.509 signing certificate

2. Save your configuration.

   Saving the configuration will automatically enable SSO. You'll be asked to confirm the action before it's executed.

Configure using OIDC

1. Enter the configuration values you received from the IdP when creating your OIDC application:

   • Client ID: Your application's Client ID
   • Issuer URL: Your application's Issuer URL (also known as the metadata Discovery URL)
   • Client secret: Your application's Client Secret

2. Save your configuration.

   Saving the configuration will automatically enable SSO. You'll be asked to confirm the action before it's executed.

Enable or disable SSO

Once you have configured SSO in DoiT Console, you can enable or disable SSO using the Enable SSO toggle switch.

Provide information to your IdP

After configuring SSO in the DoiT Console, you need to add information to your IdP to complete the integration between the DoiT Platform and your SAML/OIDC application.

By default, the DoiT Console populates a generic configuration template on the protocols configuration page with the following labels:

• Service provider entity ID (SAML only)
• Callback URL
• IdP login URL

If you use Okta or JumpCloud, you can choose from the Provider drop-down list for a provider-specific configuration template.

• Okta OIDC:

  • Audience URI (SP Entity ID)
  • Single Sign On URL
  • Bookmark App URL: See Simulate an IdP-initiated flow using the Bookmark App for more information

• Okta SAML:

  • Sign-in redirect URI
  • Initiate login URI

• JumpCloud SAML:

  • SP Entity ID
  • ACS URL
  • Login URL

Note

If you need further assistance, please open a support ticket.

Configure user roles

You can configure DoiT Platform user roles via your IdP by setting the custom attribute doit_platform_role_id per user. The value of the attribute must be the role ID of the desired DoiT Platform user role (See Role ID for how to find the role ID in the DoiT Console.)

If your IdP doesn't provide a value for doit_platform_role_id, the DoiT Platform will assign the default role configured for your organization.

Setting a default role in the DoiT Console doesn't impact existing users, though they might be affected if you explicitly set the default role in your IdP. We suggest that you consult the IdP-specific documentation for more information.

Note

Users are created and updated through the IdP. When you off board users, once they are deactivated in the IdP, they lose access to the DoiT Platform. The DoiT Platform itself doesn't deactivate users.