Before you can enable single sign-on (SSO) logon, you must configure an identity provider (IdP) and turn on the switch for SSO Logon in the CloudSSO console. To configure an IdP, you can select Manual Configuration or Upload Metadata File. If you select Manual Configuration, you can configure only the following parameters that are required for SSO logon to take effect: Entity ID, Logon URL, and Certificate. If you need to configure more parameters, first generate the IdP metadata file by using the IdP client and select Upload Metadata File.

Configure an IdP

Before you can enable SSO logon, you must configure an IdP.

  1. Log on to the CloudSSO console.
  2. In the left-side navigation pane, click Settings.
  3. In the SSO Logon section of the Settings page, click Configure IdP.
  4. In the Configure IdP dialog box, select Upload Metadata File or Manual Configuration to configure an IdP.

    You can select Upload Metadata File or Manual Configuration based on your business requirements. You can obtain the required IdP metadata file or information from the IdP.

    • Upload Metadata File

      Click Upload Metadata File to upload the IdP metadata file.

    • Manual Configuration
      • Entity ID: the entity ID of the IdP.
      • Logon URL: the logon URL of the IdP.
      • Certificate: the certificate that is used by the IdP to sign Security Assertion Markup Language (SAML) responses. The certificate must be an X.509 certificate in the Privacy Enhanced Mail (PEM) format. You can click Upload Certificate to upload the certificate issued by the IdP.
  5. Click OK.

Enable SSO logon

After you configure the IdP, you can enable SSO logon.

Note After you enable SSO logon, username-password logon is automatically disabled.
  1. In the SSO Logon section of the Settings page, turn on the switch.
  2. In the Enable SSO Logon message, click OK.

Disable SSO logon

Note After you disable SSO logon, username-password logon is automatically enabled.
  1. In the SSO Logon section of the Settings page, turn off the switch.
  2. In the Disable SSO Logon message, click OK.

Clear IdP information

If SSO logon is disabled, you can clear the IdP information. If SSO logon is enabled, you cannot clear the IdP information.

  1. In the SSO Logon section of the Settings page, click Clear IdP Information.
  2. In the Clear IdP Information message, click OK.

Update IdP information

You can update the IdP information regardless of whether SSO logon is enabled. If you update the IdP information when SSO logon is enabled, and the modified IdP information does not match the original information, SSO logon may fail. Proceed with caution.

  1. In the SSO Logon section of the Settings page, click Configure IdP.
  2. In the Configure IdP dialog box, select an option, modify the IdP information, upload a new certificate or an IdP metadata file, and then click OK.

Rotate SAML signing certificates

If you want to periodically rotate the SAML signing certificates that are issued by the IdP, you can upload two certificates. When a user initiates SSO logon, CloudSSO uses both certificates to verify the SAML signature. If the SAML signature is verified by either certificate, the logon is trusted. After you upload two certificates, you can rotate the certificates. If a certificate expires or is no longer required, you can delete the certificate.

  1. In the SSO Logon section of the Settings page, click Manage to the right of SAML Signature Certificate.
  2. In the Certificate dialog box, rotate SAML signing certificates.
    1. Click Upload New Certificate to upload a new certificate that is obtained from the IdP.
    2. Verify that the IdP uses the newly uploaded certificate to sign SAML responses. Make sure that you can log on to the CloudSSO user portal by using the SSO logon method.
    3. Find the old certificate and click Delete in the Actions column. The certificate is deleted.
    4. Click OK. The rotation of SAML signing certificates is complete.