Manage Single Sign-On (SSO)

This topic provides detailed steps for enabling and configuring SSO for streamlined authentication.

Access the SSO Setup tab

Do the following:

  1. Hover over the Settings icon at the lower left of your screen. Settings options are displayed.

  2. Click on Access Management.

    The Access Management page is displayed.

  3. Select the SSO Setup tab.

Manage Single Sign-On (SSO)

Single Sign-On (SSO) allows users to log in using their existing credentials from an Identity Provider (IDP), streamlining access and enhancing security. This section provides details on configuring and managing SSO in AlgoSec Cloud.

Note: AlgoSec SaaS applications officially support Microsoft Entra ID (formerly Azure Active Directory) and Okta as SSO providers. Other SAML2 SSO providers may also work. Try to enable following the instructions below. If you encounter difficulties contact AlgoSec support for assistance.

Note: When users log in for the first time, their roles are assigned based on their SSO group. If no mapping exists, the default role is "Auditor." For more information about SSO role mapping, see SSO Group mapping and management.

Important: Users must have a valid email address, surname (last name), given name (first name), and name identifier in the relevant fields of the Identity Provider.

Set SAML attributes as specified by your identity provider.

  • For Entra ID, use:

    • Attribute Name= http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress  Value=user.email

    • Attribute Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname and Value= user.surname

    • Attribute Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname and Value= user.givenname

    • Attribute Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name and Value= user.principalname

    • (optional) Attribute Name=http://schemas.microsoft.com/ws/2008/06/identity/claims/groups and Value= user.groups [Application.Group]

      Note: If you are working with user groups, make sure to set the Source Attribute to sAMAccountName or Cloud-only group display names.

  • Similarly for Okta, use recommended attribute statements:

    • Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress and Name Format=URI reference format and Value=user.email)

    • Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname and Name Format=URI reference format and Value= user.lastName

    • Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname and Name Format=URI reference format and Value= user.firstName

    • Attribute Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier and Name Format=URI reference format and Value= user.login

    • (optional) Attribute Name=http://schemas.microsoft.com URI Reference/ws/2008/06/identity/claims/groups and Name Format=URI reference format and Filter= Matches regex:.*

To configure SSO user authentication

  1. In Access Management, click the SSO SETUP tab.

  2. Enter the email of the IT admin associated with your account and click Send Parameters.

    The application parameters are sent to that email address.

    Note: Using the details sent by AlgoSec Cloud, the IT admin generates the XML metadata file needed for the next step.

    Tip for IT department: For more information about Federation Metadata XML, refer to Identity provider documentation.

  3. Upload the XML metadata file provided by the IT admin and then click Activate SSO.

    Once activated, all users in the Users tab can log in with SSO.

    Note:

    • A check appears on the Users tab in the SSO Authenticated column after a user logs in at least one time using SSO.

    • +Add User is disabled for SSO-enabled tenants. Contact your IT department to add additional users.

SSO Group mapping and management

SSO Group mapping gives you flexibility managing your users permissions. You can create groups of users based on their job roles, departments, or other criteria in your identity provider. Then in AlgoSec Cloud, you can associate these SSO Groups to user roles and set their permissions. This enhances security while reducing administrative overhead.

When a new SSO user logs in for the first time:

  • The user's roles are automatically assigned based on their associated SSO Group(s).

  • If no mapping exists, the user's default role is "Auditor."

Additionally, admins can manually edit user roles as needed, even if those users are not part of any SSO Group. This allows for precise and efficient user management. Follow instructions in Edit a user.

To map SSO groups:

Do the following:

Map SSO group(s):

Deactivate / Reactivate SSO

To deactivate SSO: Administrators can deactivate SSO on a tenant by clicking Deactivate SSO.

To reactivate SSO: Administrators can reactivate SSO using the previously stored XML metadata file by clicking Reactivate SSO.