Setting up Single Sign On (SSO) in the Own Data Platform

    NOTE: This article refers to the procedure of enrolling and enabling SSO within the Own Data Platform.

    For relevant information for accounts that existed before May 2024 with SSO users before migrating to the Own Data Platform, see SSO Users Migrating to Own Data Platform.

    We support single sign on using SAML 2.0. Instead of relying on our local authentication for password and security policies, you may set your own authentication using your managed Identity Provider.

    IdP Configuration

    We use SAML 2.0 and support IdP-initiated flows only. Therefore, to authenticate, the IdP must allow the SAML Assertion to be used. The SSO application needs to be created in your IdP provider before enabling SSO in the platform.

    The following are quick guides for setting up common IdPs:

    NOTE: Only one application in the IdP is able to connect to the Own Data Platform, even if you have multiple regions.

    Enabling Single Sign On (SSO):

    1. Log in to the Own Data Platform.
    2. Click  in the bottom left corner of the screen.
    3. Click Change to Single Sign On (SSO). The SSO Settings will open on the right of the screen:
    4. Enter the Identity Provider Issuer: A unique identifier of the IdP (Usually an https:// URL). The SAML issuer is typically the Entity ID, which can be verified in the IdP’s metadata xml.
    5. Upload the IdP Signature Certificate. Your certificate should be an X.509 PEM encoded file.
    6. (Optional) Enter the Logout URL: The link to where you wish to direct users, when clicking the logout button.
    7. Click Next.
      It may take a few minutes to verify your settings.
    8. Once your settings are saved and your unique parameters are created, the IdP Parameters will be displayed:
    9. Copy the values into the relevant fields in your identity provider.
      If you want all users to be logged in to a specific region on sign in, click Show advanced access and select the region specific Direct RelayState, rather than the Default RelayState.
    NOTE: The RelayState must be defined in your IdP provider. RelayState is sometimes also referred to as a "Start URL", "Target URL", "Target application URL", among other names. Refer to your IdP provider's SAML application documentation for their name for this variable.
    1. In your identity provider, ensure that the unique user identifier (also known as name ID) points to the email address.
    2. In the Own Data Platform, click Close. The following message will appear:
    3. Until you complete the setup, your sign in method in the Security page will display a “Not Activated” warning:

      In order to complete the setup, log out and log back in to the Own Data Platform with your IdP. This will verify your settings and activate them across your account. Until this is done, users can still log in with their email and password.

    If there was an issue with the SSO setup, the Master Admin user can still log in with their email and password to debug.

    Once SSO is activated, logging in with email and password is disabled for all accounts.

    NOTE: If no users in your account log in within 48 hours, SSO will not be activated and your account will revert to password authentication. Your SSO settings are saved for future use.

    Behavior when Enabling Single Sign On

    Most password policies and security measures in the Own Data Platform change when you enable single sign on via SAML:

     

    • Only the Master Admin can enable/disable SSO.
    • The user can no longer set their password in the platform, and the password length complexity rules are those set by the identity provider.
    • We cannot enforce password expirations and cannot prevent reuse of old passwords.
    • Users cannot use the Forgot/Reset Password mechanism and will be referred to their Identity Provider if they try to do so.
    • If you would like to enable an API user after implementing Single Sign On, please refer to Managing an API Token for your Account
    • If you are completely locked out and cannot manage authentication via the IdP, please submit a case to our Support team who can assist.

    Disabling SSO

    1. Log in to the Own Data Platform.
    2. Click  in the bottom left corner of the screen.
    3. Click Change to Password. The Password Settings will open on the right of the screen:
    4. Set your password settings and click Save.

    The next time a user from your account attempts to log in, they will be forced to reset their password.

    Updating SSO Credentials

    If you need to update your identity provider issuer and/or certificate, the new credentials won’t activate until a user logs in with IdP.

    NOTE: The Master Admin user who created the change will be able to access the account with their username and password until SSO is activated. They will need to reset their password on the sign in page in order to set up their password. If MFA was enabled before switching to SSO, then it will apply until SSO is activated.

    If no one logged in with the updated SSO credentials after 48 hours, the account reverts to the password authentication method, and all users will be required to reset their password on sign in.

    To update your SSO:

    1. Log in to the Own Data Platform.
    2. Click  in the bottom left corner of the screen.
    3. In the Authentication Method card, click View details.
    4. The SSO Settings will open on the right of the screen.
    5. Click Edit.
    6. Update the SSO settings and click Next.
    7. It may take a few minutes to verify your settings.
    8. Once your settings are verified, the IdP Parameters will be displayed:
    9. In order to complete the setup, log out and log back in to the Own Data Platform with your IdP.
    NOTE: If no user from the account logs in within 48 hours, the account will revert to password authentication.
    « Previous ArticleNext Article »