Before you connect Paligo to your SSO service, make sure you have set up your SSO service. It needs to be able to provide user authentication data to Paligo. As part of the setup, you will export a metadata file that you will be able to import into Paligo.
When the SSO service is set up, you can connect Paligo to it:
-
Log in to Paligo via a user account that has administrator permissions.
-
Sign in to Paligo using a user account that has administrator permissions.
-
Select the avatar in the top-right corner.
-
Select Settings from the menu.
-
Select the Integrations tab.
-
Select Add in the SAML 2.0 section to expand the connection settings.
-
Enter the Provider Name, a display name for the SSO service, for example, Okta or JumpCloud.
-
Select Upload metadata file and select the metadata file that you exported from the SSO service when it was set up.
-
In most cases, you should be able to ignore the Advanced Settings section. These settings are filled automatically, as the values come from the SAML XML file you uploaded in the previous step. If, for some reason, the settings need to be added or changed, you can make the changes manually.
-
Entity ID - The identifier for your SAML endpoint. This is sometimes called the identity provider issuer.
-
SSL Certificate - The secure socket layer (SSL) certificate for the SSO service.
-
Single Signon Service URL - The address of the single sign-on service.
-
Single Signout Service URL - The address of the single sign-out service, if used. When this is used, logging out of Paligo logs the user out of the SSO service as well, not just Paligo. This is empty if the feature is not used.
-
-
Check the Enable sign-in alternative checkbox so that users can sign in to Paligo manually as well with SSO. This is important the first time you set up SSO, as if there is an error, you will need to be able to log in to Paligo without SSO to fix it.
-
Check the Force authentication to set the
forceAuthn
parameter to true in the request to the identity provider. This will require the user to authenticate themselves even if there is an active session with the IdP. -
Check the Enable SSO box to activate single-sign in.
-
Select Save.
-
Log out of Paligo.
-
Log back in again. You should now see an SSO sign in option that, when selected, logs you into Paligo.
Note
If you do not see the SSO sign in option or if the SSO sign-in attempt is unsuccessful, log in with your username and password and check that you have completed the steps described in this topic correctly.
Usually, failed SSO sign-ins are due to incorrect configuration in the SSO service. Please make sure that you have entered the correct URLs and have set the correct attributes for firstname, lastname and email.
The most common error is that the user group is incorrectly set up in the SSO service. The SSO service has to be able to provide Paligo with the username, email, and usergroup metadata. For more information on the SSO service settings, see Connect an SSO Service to Paligo.
-
Once SSO works as expected, enter the SAML 2.0 settings.
-
Clear the checkbox for Enable sign-in alternative.
If this option is disabled the users can no longer use username and password to login. They have to use SSO to log in.
-
Select Save.
Comments
0 comments
Article is closed for comments.