SSO
Single Sign On (SSO) enables users to log into multiple services without entering their user name and password for each service. SnapLogic supports Single Sign On (SSO) for Identity Providers (IdP) that use the Security Assertion Markup Language 2.0 (SAML 2.0) standard.
IdPs certified to work with SnapLogic include:
To enable SSO for the SnapLogic Platform, you must use the same IdP for all your environments. First, you must first create one application integration in your IdP that will handle authorization for all your SnapLogic environments. After you create the integration in your IdP, export metadata from it and import the metadata into all of your SnapLogic environments.
Each user must have an account in SnapLogic and an account in the IdP. When SSO is enabled for an environment, users can sign in with either basic authentication (user name and password) or with SSO. In User account settings, you define whether users must log in through SSO or whether they can also use Password-based authentication.
Similar to basic authentication, a successful SSO login gives users access to all environments where
they have an account. For example, if a user is a member of Env_1 and Env_2
and they log into Env_1 with SSO, they can switch to Org_2 without logging
in again. This is assuming that both environments have the same IDP provider configured. If that isn't
the case, they receive a message stating SSO login can't be used for users that are members of
orgs that have different identity providers
. The authentication process only validates that
the person logging into the service is who they say they are. It doesn't control what they have access
to.
SSO authentication works like this:
- A user clicks the Single Sign On link from the SnapLogic login screen, enters an Org name and clicks Log in. Alternatively, IdPs such as Okta provide a way to set up a card for users to click.
- The SnapLogic Platform sends a SAML request to the IdP
Application Integration that you created for SnapLogic.
The request contains an
AssertionConsumerServiceURL
element that specifies where the response should be sent - The IdP ensures that the
AssertionConsumerServiceURL
is associated with the requester. To make this possible, you must add the Reply URLs for all of your SnapLogic Orgs to the IdP Application Integration when you configure SSO. - The IdP authorizes the requester access by replying to the initial request.
To configure SSO, start by creating an application integration in your IdP.