This topic describes how to configure single sign-on (SSO) in IDaaS.
You must configure SSO before you can implement SSO.
This topic describes the following SSO configuration items (all parts of the Sign-In tab) that are common to all applications:
SSO status
Application account
Authorization scope
For more information about the configuration steps, see the documentation for different application templates.
Application template type | Protocol | References |
Pre-integrated templates in the application marketplace | SAML 2.0 | |
Standard protocol - Security Assertion Markup Language (SAML) | SAML 2.0 | |
Standard protocol - Open ID Connect (OIDC) | OIDC | |
Custom applications | OIDC |
SSO status
When an application is activated, all features of the application are disabled. For your ease of configuration, the SSO status is automatically changed to Enabled. You must click Save to make the change take effect.
Applications whose SSO feature is disabled are not displayed in the user portal.
Application account
An application account is the unique identifier of a user in the application. When a user initiates an SSO request to an application, IDaaS passes the application account to the application. Then, the application puts the account in the logged-on state to implement SSO.
Therefore, if the application has existing accounts, check whether these accounts are mapped to the accounts in IDaaS. If not, perform batch synchronization for users or create accounts in the application in advance.
For applications that use the SAML protocol, you can configure application account rules in the applications. For more information, see Configure accounts for an SAML-based application.
For OIDC-based applications or custom applications, IDaaS passes relevant values in id_tokn. For more information, see Enter OIDC id_token extended values.
Authorization scope
You can select one of the options to specify the users who can access the application.
Option | Description |
All Users | All accounts in IDaaS can access the application without additional authorization. |
Manually | You must specify the organizations and accounts that can access the application on the Authorize tab of the application. For more information, see Grant access to an application. |