All Products
Search
Document Center

Identity as a Service:Configure SSO

Last Updated:Nov 04, 2024

This topic describes how to configure single sign-on (SSO) in Identity as a Service (IDaaS).

You must configure SSO before you can implement SSO.

This topic describes the following SSO configuration items that are common to all applications:

  • SSO status

  • Application account

  • Authorized scope

For more information about the configuration steps, see the documentation for different application templates.

Application template type

Protocol

References

Pre-integrated templates in the application marketplace

SAML 2.0

Configure an application

Standard protocol - Security Assertion Markup Language (SAML)

SAML 2.0

Configure SAML 2.0 SSO

Standard protocol - Open ID Connect (OIDC)

OIDC

Configure OIDC SSO

Self-developed applications

OIDC

Configure SSO for a self-developed application

SSO status

After you activate an application, all features of the application are disabled. To facilitate configuration, the SSO status is automatically changed to Enabled. You must click Save to allow the change to take effect.

Applications for which the SSO feature is disabled are not displayed in the user portal.

Application account

An application account is the unique identifier of a user in the application. When a user sends an SSO request to an application, IDaaS passes the application account to the application. Then, the application places the account in the logged-on state to implement SSO.

If accounts exist in the application, check whether the accounts are mapped to the accounts in IDaaS. If the accounts are not mapped to the accounts in IDaaS, perform batch synchronization for users or create accounts in the application in advance.

For SAML-based applications, you can configure application account rules in the applications. For more information, see Configure accounts for a SAML-based application.

For OIDC-based applications or self-developed applications, IDaaS passes relevant values in id_tokn. For more information, see Enter OIDC id_token extended values.

Authorized scope

You can select one of the following options to specify the users who can access the application.

Option

Description

All Users

All accounts in IDaaS can access the application without the need for additional authorization.

Manually

You must specify the organizations and accounts that can access the application on the Authorize tab of the application. For more information, see Application authorization.