Before you can enable single sign-on (SSO) logon, you must configure an identity provider (IdP) and turn on the switch for SSO Logon in the CloudSSO console. To configure an IdP, you can select Manual Configuration or Upload Metadata File. If you select Manual Configuration, you can configure only the following parameters that are required for SSO logon to take effect: Entity ID, Logon URL, and Certificate. If you need to configure more parameters, first generate the IdP metadata file by using the IdP client and select Upload Metadata File.
Configure an IdP
Before you can enable SSO logon, you must configure an IdP.
Enable SSO logon
After you configure the IdP, you can enable SSO logon.
- In the SSO Logon section of the Settings page, turn on the switch.
- In the Enable SSO Logon message, click OK.
Disable SSO logon
- In the SSO Logon section of the Settings page, turn off the switch.
- In the Disable SSO Logon message, click OK.
Clear IdP information
If SSO logon is disabled, you can clear the IdP information. If SSO logon is enabled, you cannot clear the IdP information.
- In the SSO Logon section of the Settings page, click Clear IdP Information.
- In the Clear IdP Information message, click OK.
Update IdP information
You can update the IdP information regardless of whether SSO logon is enabled. If you update the IdP information when SSO logon is enabled, and the modified IdP information does not match the original information, SSO logon may fail. Proceed with caution.
- In the SSO Logon section of the Settings page, click Configure IdP.
- In the Configure IdP dialog box, select an option, modify the IdP information, upload a new certificate or an IdP metadata file, and then click OK.
Rotate SAML signing certificates
If you want to periodically rotate the SAML signing certificates that are issued by the IdP, you can upload two certificates. When a user initiates SSO logon, CloudSSO uses both certificates to verify the SAML signature. If the SAML signature is verified by either certificate, the logon is trusted. After you upload two certificates, you can rotate the certificates. If a certificate expires or is no longer required, you can delete the certificate.
- In the SSO Logon section of the Settings page, click Manage to the right of SAML Signature Certificate.
- In the Certificate dialog box, rotate SAML signing certificates.
- Click Upload New Certificate to upload a new certificate that is obtained from the IdP.
- Verify that the IdP uses the newly uploaded certificate to sign SAML responses. Make sure that you can log on to the CloudSSO user portal by using the SSO logon method.
- Find the old certificate and click Delete in the Actions column. The certificate is deleted.
- Click OK. The rotation of SAML signing certificates is complete.