SSO Authentication
Single Sign-On (SSO) enables users to log into multiple services without entering their user name and password for each service. SnapLogic supports SSO for Identity Providers (IdP) that use the Security Assertion Markup Language 2.0 (SAML 2.0) standard. SSO is an add-on to your SnapLogic subscription.
IdPs certified to work with the SnapLogic Platform include:
To use SSO, first create an application integration in your IdP that will handle authorization. After you create the integration in your IdP, export metadata from it and import the metadata into all of your SnapLogic environments.
Each user must have a SnapLogic account and an account in the IdP. In User account settings, you define whether users must log in through SSO or whether they can also use Password-based authentication. If password-based authentication is enabled, you can also enable MFA (if subscribed).
You can set up environments to have different IdPs. An SSO login gives users access to all environments configured for the same IdP where they have an account. For example, if a user is a member of Env_1 and Env_2 and they log into Env_1 with SSO, they can switch to Env_2 without logging in again. This is assuming that both environments have the same IdP provider configured. If they also have an account on Env_3 and it uses a different IdP, they need to log out and log in using that IdP to access Env_3.
The authentication process only validates that the person logging into the service is who they say they are. It doesn't control what they have access to. The environment IdP configuration controls that.
SSO authentication works like this:
- A user clicks the Single Sign On link from the SnapLogic login screen, enters an environment name, and clicks Log in. Alternatively, IdPs such as Okta provide a way to set up a card for users to click.
- The SnapLogic Platform sends a SAML request to the IdP Application Integration that you created
for SnapLogic. The request contains an
AssertionConsumerServiceURL
element that specifies where to send the response. - The IdP ensures that the
AssertionConsumerServiceURL
is associated with the requester. To make this possible, you must add the Reply URLs for all of your SnapLogic Orgs to the IdP Application Integration when you configure SSO. - The IdP authorizes the requester access by replying to the initial request.