Single Sign-On (SSO)
This section documents the administration configuration for single sign-on, as well as merging an existing Axon account to use single sign-on.
Single Sign-On is an authentication method that allows users to login to multiple environments with a single set of credentials, which are verified through a secure provider.
For user guides on configuring specific third-party SSO providers, refer to the topics below:
Single Sign-On Administration
Only Administrators can take the actions described in this section.
Configure Single Sign-On Providers
Before a provider can be used to authenticate single sign-on (SSO), the provider must be configured by an Axon administrator.
To add an SSO configuration for user login:
- In the lower-left corner of the main screen, click the Administration cog icon.
The Administration menu appears on the left side. - In the Access Control section, click Single Sign-On (SSO).
The Single Sign-On (SSO) list appears. - Click + Add SSO Provider in the upper-right of the screen.
The Single Sign-On Settings window appears. Enter the following information to authorize the provider. Required fields are marked with an asterisk (*).
It is highly recommended to work with your internal IT department when configuring SSO providers.
Field Description Alias * Enter a unique name for this SSO provider. Display Name Enter a unique way for this SSO provider to display in the list. Sync Mode Select one of the following default sync modes to determine when user data will be synced:
- Legacy allows you to maintain the behavior used before this option was introduced.
- Import imports the user once during the user's first login with this provider.
- Force always updates the user during every login with this provider.
SSO Configuration Type Select one of the following configuration types. The available options change based on which configuration you select.
There may be more configuration options available based on the settings you select. It is highly recommended to work with your internal IT professionals when configuring these settings.
SAML 2.0 Selecting this configuration type provides the following options: Service Provider Entity ID * Enter the ID that will be used to uniquely identify this provider. SSO Service URL * Enter the URL that must be used to send authentication requests. Single Logout Service URL Enter the URL that must be used to send logout requests. Backchannel Logout Check to enable backchannel logout, which directly communicates logout requests from the client application to the authorization server. NameID Policy Format Select one of the options from the drop-list to specify the URI reference corresponding to a name identifier format. Principal Type Select one of the options from the drop-list to determine the way external users are identified and tracked from the assertion. Allowed clock skew Enter a clock skew in seconds that is to be tolerated when validating identity provider tokens. Attribute Consuming Service Index Enter the Index of the Attribute Consuming Service profile to request during authentication. Attribute Consuming Service Name Enter the name of the Attribute Consuming Service profile to advertise in the SP metadata. Default value equal to the realm display name when configured, otherwise equal to the realm name. OIDC Selecting this configuration type provides the following options: Authorization URL * Enter the authorization URL to be used to send authentication requests. Token URL * Enter the token's URL. Logout URL Enter the end session endpoint to use when logging a user out from the external IDP. Backchannel Logout Check to enable backchannel logout, which directly communicates logout requests from the client application to the authorization server. Client Authentication * Select a client authentication method from the drop-list. Client ID * Enter the client identifier registered within the identity provider. Client Secret * Enter the client secret registered within the identity provider. Client Assertion Signature Algorithm Select one of the signature algorithms from the drop-list. This is used to create a JWT assertion as client authentication. Issuer Enter the name of the identifier for the issuer of the response. Default Scopes The scopes to be sent when asking for authorization. Prompt Select from the drop-list whether the authorization server prompts the end-user for reauthentication and consent. Allowed clock skew Enter a clock skew in seconds that is to be tolerated when validating identity provider tokens. Forwarded Query Parameters Enter the non-OpenID Connect/OAuth standard query parameters to be forwarded to the external IDP from the initial application request to the authorization endpoint. Click Save to save the SSO configuration, or Save and Enable to save the configuration and activate the provider for SSO.
Single Sign-On Role Mapping
When creating or editing an SSO provider, you have the option to map groups from the identity provider to roles in Axon. When role mapping is configured for a given identity provider group, any user belonging to that group will have the corresponding Axon role(s) assigned to them automatically the next time they log in.
To configure role mapping:
- In the lower-left corner of the main screen, click the Administration cog icon.
The Administration menu appears on the left side. - In the Access Control section, click Single Sign-On (SSO).
The Single Sign-On (SSO) list appears. - Choose one of the following options:
- To configure role mapping for an existing SSO provider, click the Actions drop-list to the right of the provider you wish to modify. Then click Edit Settings.
- To configure role mapping for a new SSO provider, Click + Add SSO Provider in the upper-right of the screen.
In both cases, the Single Sign-On Settings window appears.
- Click on the Role Mapping tab.
In the IdP Group Name field, enter the name of your identity provider group.
Spaces and special characters are supported.
- In the Axon Role(s) field, select one or more roles that should be automatically granted to every member of the corresponding IdP group.
- (Optional.) To add additional mappings, click Add Group.
- (Optional.) To remove a mapping, click the 'x' icon to the right of the mapping you wish to delete.
- Click Save to save the SSO configuration, or Save and Enable to save the configuration and activate the provider for SSO.
Single Sign-On Actions
There are several actions available for all created single sign-on (SSO) providers. To perform these actions:
- In the lower-left corner of the main screen, click the Administration cog icon.
The Administration menu appears on the left side. - In the Access Control section, click Single Sign-On (SSO).
The Single Sign-On (SSO) list appears. Click the Actions drop-list to the right of the provider you wish to modify.
You can also click the General Settings drop-arrow below the Actions button to view the configured settings for each provider.
Select one of the following:
Action Description Enable/Disable Click Enable to activate a provider that had previously been disabled, or that had never been activated.
Click Disable to temporarily retire an enabled provider.
Edit Settings Click to modify the provider's settings. Delete Click to delete the SSO provider configuration entirely.
This action cannot be undone.
Merge Local and SSO Accounts
All users can take this action.
If an existing Axon user that uses an email and password login would like to begin using a single sign-on (SSO) login, they need to merge their existing "local" user profile into their SSO user profile. The user can then login with either the SSO or their email and password combination.
To merge the local user profile with a configured SSO provider:
- At the Axon login screen, click the Log in With SSO button.
- Enter the email address used for the local profile and the SSO account.
Click Merge Accounts.
This process is not reversible.
- Enter the email address to reauthenticate.
- Click Next.
- Enter the password to reauthenticate.
- Click Merge & Login.
The local user profile and SSO profile are merged, and the user can now log in with either.