SSO

Single Sign On (SSO) enables users to log into multiple services without entering their user name and password for each service. SnapLogic supports Single Sign On (SSO) for Identity Providers (IdP) that use the Security Assertion Markup Language 2.0 (SAML 2.0) standard.

IdPs certified to work with SnapLogic include:

• OpenAM
• Microsoft Entra ID
• OKTA
• PingIdentity

To enable SSO for the SnapLogic Platform, you must use the same IdP for all your environments. First, you must first create one application integration in your IdP that will handle authorization for all your SnapLogic environments. After you create the integration in your IdP, export metadata from it and import the metadata into all of your SnapLogic environments.

Each user must have an account in SnapLogic and an account in the IdP. When SSO is enabled for an environment, users can sign in with either basic authentication (user name and password) or with SSO. In User account settings, you define whether users must log in through SSO or whether they can also use Password-based authentication.

Similar to basic authentication, a successful SSO login gives users access to all environments where they have an account. For example, if a user is a member of Env_1 and Env_2 and they log into Env_1 with SSO, they can switch to Org_2 without logging in again. This is assuming that both environments have the same IDP provider configured. If that isn't the case, they receive a message stating SSO login can't be used for users that are members of orgs that have different identity providers. The authentication process only validates that the person logging into the service is who they say they are. It doesn't control what they have access to.

SSO authentication works like this:

1. A user clicks the Single Sign On link from the SnapLogic login screen, enters an Org name and clicks Log in. Alternatively, IdPs such as Okta provide a way to set up a card for users to click.
2. The SnapLogic Platform sends a SAML request to the IdP Application Integration that you created for SnapLogic. The request contains an AssertionConsumerServiceURL element that specifies where the response should be sent
3. The IdP ensures that the AssertionConsumerServiceURL is associated with the requester. To make this possible, you must add the Reply URLs for all of your SnapLogic Orgs to the IdP Application Integration when you configure SSO.
4. The IdP authorizes the requester access by replying to the initial request.

To configure SSO, start by creating an application integration in your IdP.