Single sign-on

Single Sign-On (SSO) is a federated identity management mechanism that allows a user to access multiple applications or services with one set of login credentials.

Overview

The DoiT console application supports SSO through authentication protocols Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). To integrate the DoiT console application with identity providers (IdP), you need to:

• Create a SAML or OIDC application at the IdP Side.
• Configure SSO in the DoiT console.

Caution

SSO takes precedence over auth provider settings for end-user sign-in. Once SSO is enabled, end users can no longer sign in with a Google account, Microsoft account, or email and password. Admin users can still use other sign-in options.

This page explains the general steps when implementing SSO for the DoiT console. You can also find IdP-specific instructions on the following pages:

• Configure SSO with Okta
• Configure SSO with Microsoft Entra ID
• Configure SSO with JumpCloud

To integrate DoiT console application with other IdPs, please refer to the IdP's documentation. Below are some reference links (the list is not exhaustive):

• CyberArk Identity
• Google Workspace: Setting up SSO,
• OneLogin
• Ping Identity

Required permission

• Users Manager

Get information for your IdP

The DoiT console generates information that is required by IdPs to create custom applications.

1. Sign in to the DoiT console, select the gear icon () from the top navigation bar, and then select Users and access.

2. Select Single sign-on from the left-hand menu.

3. Select Configure (or Edit configuration) in SAML or OIDC according to your authentication protocol.

   

4. The DoiT console populates a generic configuration template under Add the following information to your provider.

   If your IdP is Okta or JumpCloud, choose it from the Provider drop-down list for a provider-specific configuration template.

   

Create a custom application

Follow the instructions of your IdP to create a SAML or OIDC application.

Configure SSO in the DoiT console

Complete the SSO configuration in the DoiT console:

1. In the DoiT console, select the gear icon () from the top navigation bar, and then select Users and access.

2. Select Single sign-on from the left-hand menu.

3. Select Configure (or Edit configuration) in SAML or OIDC according to your authentication protocol.

4. Enter the configuration values you received from the IdP when creating your application.

   • SAML configuration:

     • Entity ID: Your application's Entity ID (also known as Audience URI)
     • SSO URL: Your application's SSO URL (also known as the Destination URL)
     • Certificate: Your application's signing certificate

   • OIDC configuration:

     • Client ID: Your application's Client ID
     • Issuer URL: Your application's Issuer URL (also known as the metadata Discovery URL)
     • Client secret: Your application's Client Secret

5. (Optional) In Group ID Mapping, assign your SSO Group IDs to specific DoiT roles and organizations in the DoiT console. In Group ID attribute key, enter the group unique identifier associated with your application.

   • Group ID: The group ID of a specific group that you want to map to a DoiT role and organization.

   • DoiT Role: The DoiT role to which you want to map this group.

   • Organization: The organization to which you want to map this group.

6. Save the configuration. This will automatically enable SSO. You'll be asked to confirm the action before it's executed.

You can also use the toggle switch to enable or disable SSO. If you have configured both SAML and OIDC, you can switch the active protocol by selecting the corresponding radio button.