All Products
Search

This Product

    CloudSSO:Configure SSO

    Document Center

    CloudSSO:Configure SSO

    Last Updated:Dec 22, 2023

    Before you can enable single sign-on (SSO), you must configure an identity provider (IdP) and turn on the switch for SSO Logon in the CloudSSO console. To configure an IdP, you can select Manual Configuration or Upload Metadata File. If you select Manual Configuration, you can configure only the following parameters that are required for SSO to take effect: Entity ID, Logon URL, and Certificate. If you need to configure more parameters, create the IdP metadata file by using the IdP client and select Upload Metadata File.

    Configure an IdP

    Before you can enable SSO logon, you must configure an IdP.

    1. Log on to the CloudSSO console.

    2. In the left-side navigation pane, click Settings.

    3. In the IdP Information section of the SSO Logon section, click Configure IdP.

    4. In the Configure IdP dialog box, select Upload Metadata File or Manually Configuration to configure an IdP.

      You can select Upload Metadata File or Manual Configuration based on your business requirements. You can obtain the required IdP metadata file or information from the IdP.

      • Upload Metadata File

        Click Upload Metadata File to upload the IdP metadata file.

      • Manual Configuration

        • Entity ID: the entity ID of the IdP.

        • Logon URL: the logon URL of the IdP.

        • Certificate: the certificate that is used by the IdP to sign Security Assertion Markup Language (SAML) responses. The certificate must be an X.509 certificate in the Privacy Enhanced Mail (PEM) format. You can click Upload Certificate to upload the certificate issued by the IdP.

    5. Click OK.

    Enable SSO

    After you configure the IdP, you can enable SSO.

    Note

    After you enable SSO, username-password logon is automatically disabled.

    1. In the SSO Logon section, turn on the switch.

    2. In the Enable SSO Logon message, click OK.

    Disable SSO

    Note

    After you disable SSO, username-password logon is automatically enabled.

    1. In the SSO Logon section, turn off the switch.

    2. In the Disable SSO Logon message, click OK.

    Obtain the service provider (SP) metadata file

    In the SP Information section of the SSO Logon section, click Download SP Metadata File. The SP metadata file is required when you configure SSO in your IdP. You can also view or copy the values of the ACS URL and Entity ID parameters. The values are required when you manually configure your IdP.

    Note

    If you enabled the accelerated URL feature, you can use the accelerated ACS URL when you configure SSO in your IdP. For more information, see Accelerate access from outside the Chinese mainland.

    Clear IdP information

    If SSO is disabled, you can clear the IdP information. If SSO is enabled, you cannot clear the IdP information.

    Warning

    If the IdP information is cleared, SSO fails.

    1. In the IdP Information section of the SSO Logon section, click Clear IdP Information.

    2. In the Clear IdP Information message, click OK.

    Update IdP information

    You can update the IdP information regardless of whether SSO is enabled. If you update the IdP information when SSO is enabled, and the modified IdP information does not match the original information, SSO may fail. Proceed with caution.

    1. In the IdP Information section of the SSO Logon section, click Configure IdP.

    2. In the Configure IdP dialog box, select an option, modify the IdP information, upload a new certificate or an IdP metadata file, and then click OK.

    Rotate SAML signing certificates

    If you want to periodically rotate the SAML signing certificates that are issued by the IdP, you can upload two certificates. When a user initiates SSO, CloudSSO uses both certificates to verify the SAML signature. If the SAML signature is verified by either certificate, the logon is trusted. After you upload two certificates, you can rotate the certificates. If a certificate expires or is no longer required, you can delete the certificate.

    Warning

    If you delete a SAML signing certificate that is in use, SSO fails. Proceed with caution.

    1. In the IdP Information section of the SSO Logon section, click Manage to the right of SAML Signature Certificate.

    2. In the Certificate dialog box, rotate SAML signing certificates.

      1. Click Upload New Certificate to upload a new certificate that is obtained from the IdP.

      2. Verify that the IdP uses the newly uploaded certificate to sign SAML responses. Make sure that you can log on to the CloudSSO user portal by using the SSO method.

      3. Find the old certificate and click Delete in the Actions column to delete the certificate.

      4. Click OK. The rotation of SAML signing certificates is complete.