Manage Single Sign-On (SSO)
This topic provides detailed steps for enabling and configuring SSO for streamlined authentication.
Access the SSO Setup tab
Do the following:
-
Hover over the Settings icon at the lower left of your screen. Settings options are displayed.
-
Click on Access Management.
The Access Management page is displayed.
-
Select the SSO Setup tab.
Manage Single Sign-On (SSO)
Single Sign-On (SSO) allows users to log in using their existing credentials from an Identity Provider (IDP), streamlining access and enhancing security. This section provides details on configuring and managing SSO in AlgoSec Cloud.
Note: AlgoSec SaaS applications officially support Microsoft Entra ID (formerly Azure Active Directory) and Okta as SSO providers. Other SAML2 SSO providers may also work. Try to enable following the instructions below. If you encounter difficulties contact AlgoSec support for assistance.
Note: When SSO is enabled, users appear on the Access Management page USERS tab only after first login. They are assigned a default system role Auditor, which can be edited later.
Important: Users must have a valid email address, surname (last name), given name (first name), and name identifier in the relevant fields of the Identity Provider.
Set SAML attributes as specified by your identity provider.
-
For Entra ID, use:
-
Attribute Name= http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Value=user.email
-
Attribute Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname and Value= user.surname
-
Attribute Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname and Value= user.givenname
-
Attribute Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name and Value= user.principalname
-
(optional) Attribute Name=http://schemas.microsoft.com/ws/2008/06/identity/claims/groups and Value= user.groups [Application.Group]
Note: If you are working with user groups, make sure to set the Source Attribute to sAMAccountName or Cloud-only group display names.
-
-
Similarly for Okta, use recommended attribute statements:
-
Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress and Name Format=URI reference format and Value=user.email)
-
Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname and Name Format=URI reference format and Value= user.lastName
-
Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname and Name Format=URI reference format and Value= user.firstName
-
Attribute Name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier and Name Format=URI reference format and Value= user.login
-
(optional) Attribute Name=http://schemas.microsoft.com URI Reference/ws/2008/06/identity/claims/groups and Name Format=URI reference format and Filter= Matches regex:.*
-
To configure SSO user authentication
-
In Access Management, click the SSO SETUP tab.
-
Enter the email of the IT admin associated with your account and click Send Parameters.
The application parameters are sent to that email address.
Note: Using the details sent by ObjectFlow, the IT admin generates the XML metadata file needed for the next step.
Tip for IT department: For more information about Federation Metadata XML, refer to Identity provider documentation.
-
Upload the XML metadata file provided by the IT admin and then click Activate SSO.
Once activated, all users in the Users tab can log in with SSO.
Deactivate / Reactivate SSO
To deactivate SSO: Administrators can deactivate SSO on a tenant by clicking Deactivate SSO.
To reactivate SSO: Administrators can reactivate SSO using the previously stored XML metadata file by clicking Reactivate SSO.