SSO
This page summarizes how to setup SSO with an external Identity Provider.
Overview¶
The Single Sign-On (SSO) feature allows users to authenticate to the aedifion.io platform using their organization's own Identity Provider (IdP).
SSO allows users to authenticate once and gain access to multiple applications without needing to log in again for each one. The IdP manages the authentication process, leveraging a single set of credentials for all integrated services. This improves security, reduces password fatigue, and enhances user productivity by streamlining the login process across various applications.
Dedicated Deployment
The Enterprise SSO feature is only available on Dedicated Deployments of the aedifion.io platform. Please contact sales@aedifion.com for purchasing a Dedicated Deployment.
The aedifion.io platform can authenticate users via OIDC and SAML, i.e., any third party IdP that supports these protocols can be integrated. In the following sections, detailed instructions are given for setting up popular IdPs, while it should be understood that the SSO feature is not limited to them.
Once the SSO integration is set up and working, it will do the following:
- Any user authenticated and authorized by the IDP is granted access to the aedifion.io platform.
- If the user, identified by their email address, already exists on the aedifion.io platform, the existing user account is linked to the user account on the IdP.
- If the user does not exist, yet, on the aedifion.io platform, a new user account is created on the aedifion.io platform and then linked to the user account on the IdP. The new user account is not assigned any roles by default, thus won't be able to access any projects.
Groups and roles
Note that the SSO integration only authenticates users and authorizes them to use the aedifion.io platform. However, it does not transfer group memberships or any roles that might exist on the IdP, since there is no standardized way to map these onto the company and project roles on the aedifion.io platform.
Azure Active Directory¶
Azure AD can be integrated via OIDC or SAML.
Self service
Setting up SSO via Azure AD is not available via self-service and requires contacting the aedifion support. You can choose between OIDC-based and SAML-based SSO. Depending on your choice, you will receive a REDIRECT URI
(for OIDC) or an ENTITY ID
and REPLY URL
(for SAML).
Screenshots
The screenshots in this article have been taken in July 2024 on a (more or less) vanilla Microsoft Azure portal. Please note that they might look different to what you see for various reasons:
- Design changes made by Microsoft since
- Custom settings and brandings due to your organization
- Your individual role(s) and associated access rights
OIDC-based Setup¶
-
On the Azure portal, navigate to App registrations.
-
Click "New registration" and provide the following information:
- Set a name that identifies this application to the user who logs in to it. We recommend name "aedifion.io", but you can choose freely.
- Keep the "Supported account types" limited to "Accounts in this organizational directory only (Single tenant)", which is the safe default.
- Select "Web" for Redirect URI and enter the
REDIRECT URI
obtained from the aedifion support.
-
In the newly registered application, go to "Manage" -> "Certificates & secrets" → "New client secret" to generate a secret.
- The client secret will be used by the aedifion.io IdP to connect to your IdP, so "aedifion.io IdP" seems a good name for the secret, but you can freely choose it.
- Choose expiry in line with your organizational policies and keep in mind that SSO will cease to work once this secret expires.
- Copy/note the secret's value now, as you won't be able to retrieve it once closing the view.
-
By default, everyone in your organization can now sign up and sign in to your dedicated aedifion.io deployment. If access shall be restricted:
- On the Azure portal, navigate to Enterprise Applications.
- Locate the created application, e.g., using the search.
- Go to "Manage" → "Properties" and switch "Assignment required" to "Yes".
- Under "Manage" → "Users and groups", grant users and/or groups access to the application.
-
Finally, send the following data to your aedifion contact person through a secure channel:
- From "Overview" → "Endpoints": "OpenID Connect metadata document", an URL that looks like this
https://login.microsoftonline.com/<TENANT ID>/v2.0/.well-known/openid-configuration
- From "Overview" → "Essentials": "Application (client) ID", a UUID string.
- The "Value" of the secret generated in the previous step, a random string value.
- From "Overview" → "Endpoints": "OpenID Connect metadata document", an URL that looks like this
-
The aedifion support will validate your information and setup the SSO integration on your dedicated aedifion.io platform instance, after which it is ready to work.
SAML-based Setup¶
-
On the Azure portal, navigate to Enterprise Applications, then go to "Manage" -> "All Applications".
-
Click "New Application" and then "Create your own application" and provide the following information:
- Set a name that identifies this application to the user who logs in to it. We recommend "aedifion.io", but you can choose freely.
- This application is meant to "Integrate any other application you don't find in the gallery (Non-gallery)".
-
You will be taken to your newly created app. If not, go to the Enterprise Applications and search by name to find it.
-
In your newly created app, go to "Overview" and in the "Getting Started" section click on "Set up single sign on".
-
Select "SAML" and in Point 1 "Basic SAML configuration", set the two required fields:
- For "Identifier (Entity ID)" enter the
ENTITY ID
obtained from the aedifion support. - For "Reply URL" enter the
REPLY URL
obtained from the aedifion support.
Don't forget to save.
- For "Identifier (Entity ID)" enter the
-
On your application, go to Point 3 "SAML Certificates" section, copy the "App Federation Metadata Url" and send it to your aedifion contact person.
-
By default, only assigned users in your organization can now sign up and sign in to your dedicated aedifion.io deployment now. Either go to "Manage" → "Properties" and switch "Assignment required" to "No" to enable access for all users in your organization. Or, go to "Manage" → "Users and groups" and assign users and/or groups access to the application.
-
The aedifion support will validate your information and setup the SSO integration on your dedicated aedifion.io platform instance, after which it is ready to work.