Single sign-on
SSO takes precedence over auth provider settings. Once SSO is enabled, users are no longer able to sign in with Google account, Microsoft account, or email and password.
The DoiT Platform supports both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) as single sign-on (SSO) protocols.
Required Permission: Authentication Manager
Set up your IdP
Before configuring SSO in the DoiT Console, you need to create a SAML or OIDC application with a third-party Identity Provider (IdP). Follow the IdP-specific documentation when creating your application.
Okta:
Microsoft:
Google:
Okta: What's the Difference Between OAuth, OpenID Connect, and SAML?
If you're creating SAML app integrations in Okta, provide the following information to the SAML settings:
Default RelayState:
https://app.doit.com/customers
. This is the landing page when a user successfully signed in to the DoiT Console.Name ID format:
EmailAddress
. This is the username format in the SAML Response.Application username:
Email
. This is the default username with the application.
Configure SSO in DoiT Console
Depending on the protocol supported by your application, select Configure (or Edit configuration) using SAML or OIDC.
You do not need to enable SSO to configure the protocols.
If you have configured both the SAML and OIDC protocols, you can switch the active protocol by selecting the corresponding radio button.
Configure using SAML
Enter the configuration values you received from the IdP when creating your SAML application:
Entity ID: Your application's Entity ID (also known as Audience URI)
TipFor SAML authentication with Azure Active Directory, the Entity ID is the Azure AD Identifier value from the Azure portal. See also Tutorial: Azure AD SSO integration with Azure AD SAML Toolkit.
SSO URL: Your application's SSO URL (also known as the Destination URL)
Certificate: Your application's X.509 signing certificate
Save your configuration.
Saving the configuration will automatically enable SSO. You'll be asked to confirm the action before it's executed.
Configure using OIDC
Enter the configuration values you received from the IdP when creating your OIDC application:
- Client ID: Your application's Client ID
- Issuer URL: Your application's Issuer URL (also known as the metadata Discovery URL)
- Client secret: Your application's Client Secret
Save your configuration.
Saving the configuration will automatically enable SSO. You'll be asked to confirm the action before it's executed.
Enable or disable SSO
Once you have configured SSO in DoiT Console, you can enable or disable SSO using the Enable SSO toggle switch.
Provide information to your IdP
After configuring SSO in the DoiT Console, you need to add information to your IdP to complete the integration between the DoiT Platform and your SAML/OIDC application.
By default, the DoiT Console populates a generic configuration template on the protocols configuration page with the following labels:
- Service provider entity ID (SAML only)
- Callback URL
- IdP login URL
If you use Okta or JumpCloud, you can choose from the Provider drop-down list for a provider-specific configuration template.
Okta OIDC:
- Audience URI (SP Entity ID)
- Single Sign On URL
- Bookmark App URL: See Simulate an IdP-initiated flow using the Bookmark App for more information
Okta SAML:
- Sign-in redirect URI
- Initiate login URI
JumpCloud SAML:
- SP Entity ID
- ACS URL
- Login URL
If you need further assistance, please open a support ticket.
Configure user roles
You can configure DoiT Platform user roles via your IdP by setting the custom attribute doit_platform_role_id
per user. The value of the attribute must be the role ID of the desired DoiT Platform user role (See Role ID for how to find the role ID in the DoiT Console.)
If your IdP doesn't provide a value for doit_platform_role_id
, the DoiT Platform will assign the default role configured for your organization.
Setting a default role in the DoiT Console doesn't impact existing users, though they might be affected if you explicitly set the default role in your IdP. We suggest that you consult the IdP-specific documentation for more information.
Users are created and updated through the IdP. When you off board users, once they are deactivated in the IdP, they lose access to the DoiT Platform. The DoiT Platform itself doesn't deactivate users.