OneCloud administrators are able to configure users within their company to login via Single Sign-On. Through the use of SAML (Security Assertion Markup Language), it is possible to access a OneCloud tenant with credentials stored by another identity provider.
Identity Provider (IdP) specific instructions
OneCloud's implementation of SSO is not specific to any particular provider, but the documentation has been created for the following providers:
If a user belongs to the Admin Group, then SAML can be configured. Navigate to the Admin -> Users & Groups -> SAML and the SAML settings form will open.
The selected Identity Provider (IdP) should provide an XML file (usually referred to as “Identity Provider metadata”) to download. When this file is available, drop or click to upload the identity provider's XML file. In order to successfully upload the file, ensure that the file is a valid XML document and that the file's extension is ".XML".
Once a valid file has been upload, clicked “Save”, and a variety of new fields will appear. The first field will be a single sign-on URL for a particular company. Any user that follows this link will be logged into the OneCloud platform, provided they are configured to use SSO. Below is a sample of the fields that will appear after a valid IdP file is uploaded.
Next step - configure the IdP
The fields in the OneCloud service provider details section are used to configure a particular IdP to interact with the OneCloud platform and log a user in successfully. By default, OneCloud supports both service provider-initiated login and identity provider-initiated login, so there should not be any additional configuration required to allow for both types of login.
📓 Provider-specific documentation
Please see the identity provider-specific instructions above for additional provider-specific documentation.
Configuring users in OneCloud to use SSO
SSO is not enabled by default for existing users, so each user will need to be edited in the admin panel to ensure they are bound to login via SSO. Once a user is set to login via SSO, they can no longer access the application with a username and password. For this reason, it is highly recommended to provision at least one admin user without SSO to ensure that provider outages do not impact your ability to access the OneCloud platform. From here, enable or disable a user’s ability to use single sign-on by toggling the checkbox. If a change is made, a warning message will appear to confirm the change and that the user will have to change their password if SSO is disabled. Click “Save” to confirm the changes.
📓 Must be an admin user in order to perform this function.
Configure a User to Login via SSO
To configure a user to login via SSO, navigate to Admin -> Users & Groups -> Users and select a user and enable SSO. Click on the edit button on the right side of the user that needs to be edited. From here, enable or disable a user’s ability to use single sign-on by toggling the checkbox. If change is made, a warning message will appear, notifying that the user will have to change their password if SSO is disabled. Click “Save” to confirm the changes. When the change is made, users are notified individually via email.
📓 SSO is Enabled?
If SSO is enabled, the user will not be able to login with their old password.
Users should now be able to login with SSO after the change is made. As mentioned above, the login can be initiated from your IdP’s portal or by visiting the link provided in the admin section. Once the SSO provider has been configured, any new users will have SSO enabled by default (though it can be toggled in the invite form).