Single sign-on

Single Sign-On (SSO) is a federated identity management mechanism that allows a user to access multiple applications or services with one set of login credentials.

Overview

The DoiT console application supports SSO through authentication protocols Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). To integrate the DoiT console application with identity providers (IdP), you need to:

• Create a SAML or OIDC application at the IdP Side.
• Configure SSO in the DoiT console.

Caution

SSO takes precedence over auth provider settings for end-user sign-in. Once SSO is enabled, end users can no longer sign in with a Google account, Microsoft account, or email and password. Admin users can still use other sign-in options.

This page explains the general steps when implementing SSO for the DoiT console. You can also find IdP-specific instructions on the following pages:

• Configure SSO with Okta
• Configure SSO with Microsoft Entra ID
• Configure SSO with JumpCloud

To integrate DoiT console application with other IdPs, please refer to the IdP's documentation. Below are some reference links (the list is not exhaustive):

• CyberArk Identity
• Google Workspace: Setting up SSO,
• OneLogin
• Ping Identity

Required permission

• Users Manager

Get information for your IdP

The DoiT console generates information that is required by IdPs to create custom applications.

1. Sign in to the DoiT console, select the gear icon () from the top navigation bar, and then select Users and access.

2. Select Single sign-on from the left-hand menu.

3. Select Configure (or Edit configuration) in SAML or OIDC according to your authentication protocol.

   

4. The DoiT console populates a generic configuration template under Add the following information to your provider.

   If your IdP is Okta or JumpCloud, choose it from the Provider drop-down list for a provider-specific configuration template.

   

Create a custom application

Follow the instructions of your IdP to create a SAML or OIDC application.

Configure SSO in the DoiT console

Complete the SSO configuration in the DoiT console:

1. In the DoiT console, select the gear icon () from the top navigation bar, and then select Users and access.

2. Select Single sign-on from the left-hand menu.

3. Select Configure (or Edit configuration) in SAML or OIDC according to your authentication protocol.

4. Enter the configuration values you received from the IdP when creating your application.

   • SAML configuration:

     • Entity ID: Your application's Entity ID (also known as Audience URI)
     • SSO URL: Your application's SSO URL (also known as the Destination URL)
     • Certificate: Your application's signing certificate

   • OIDC configuration:

     • Client ID: Your application's Client ID
     • Issuer URL: Your application's Issuer URL (also known as the metadata Discovery URL)
     • Client secret: Your application's Client Secret

5. Save the configuration. This will automatically enable SSO. You'll be asked to confirm the action before it's executed.

You can also use the toggle switch to enable or disable SSO. If you have configured both SAML and OIDC, you can switch the active protocol by selecting the corresponding radio button.

Configure user roles

You can configure DoiT Platform user roles via your IdP by setting the custom attribute doit_platform_role_id per user. The value of the attribute must be the role ID of the desired DoiT Platform user role (See Role ID for how to find the role ID in the DoiT console.)

If your IdP doesn't provide a value for doit_platform_role_id, the DoiT Platform will assign the default role of your organization to new users.

Setting a default role in the DoiT console doesn't impact existing users, though they might be affected if you explicitly set the default role in your IdP. We suggest that you consult the IdP-specific documentation for more information.

Configure user organizations

You can configure DoiT Platform user organization via your IdP by setting the custom attribute doit_platform_org_id per user. The value of the attribute must be the organization ID of the desired DoiT Platform user organization

If your IdP doesn't provide a value for doit_platform_org_id, no organization will be assigned to the user.

Note

Users are created and updated through the IdP. When you off board users, once they are deactivated in the IdP, they lose access to the DoiT Platform. The DoiT Platform itself doesn't deactivate users.