This guide is the fourth step for adding SSO to your Frontegg application. It is designed as guidelines for users who have access to your application's Admin portal and can configure the SSO connection there.
After following the instructions in this guide, end users will be able to login to their account in your application via an SSO connection that they have applied using their IDP and Admin portal.
- Enable SAML or OpenID Connect in Login Box
- Configure SAML or OpenID Connect
- Enable SSO for Admin Portal
- 👉 Configure customer identity provider 👈
Users need information from their Identity Provider account to complete this step. They need either the XML metadata file or the SSO Endpoint and Public Certificate. See guides below for help finding that information for different IDPs.
Configure Identity Provider
Follow the steps below to configure the identity provider part in the Admin Portal for your designated account.
STEP 1: Find Admin Portal
Go to the Admin Portal ➜ SSO.
To access the Admin Portal, make sure that it is implemented in the application.
If a user does not see SSO tab in the Admin Portal, make sure that the user's role is assigned with SSO permissions.
STEP 2: Configure IDP
Click the add new button to configure an identity provider by filling out the details or uploading a metadata file from the identity provider.
We recommend selecting the automatic option. It is the same as manual but less prone to implementation errors.
After selecting automatic, you will need to upload the XML file from the identity provider.
If the IDP does not offer an XML download, the user may need to copy the XML data from the IDP and save it to an .xml file then upload that file to the Admin Portal.
If selected manual, you'll need to enter the SSO Endpoint and Public Certificate from the identity provider
For examples and explanations, follow the relevant configuration guide below.
STEP 3: Claim Domain
After configuring the identity provider, you will need to claim one or more domains for the account.
The domain needs to be claimed by copying TXT record and applying in your DNS provider.
You can configure multiple domains for an account. This can be useful if you're using multiple environments for development or multiple production applications on separate domains and need the SSO connection to cover several domains.
Control which users can configure SSO and therefore claim domains by configuring the Roles and Permissions.
STEP 4: Manage Authorization
Select which roles should be assigned to SSO users by default and map IDP groups to specific roles. Roles you assign to users through SSO will apply regardless of whatever additional roles you assign to those users.
Default SSO Roles
Assign default roles to all SSO users by adding one or more Frontegg roles from your list of predefined roles.
Whichever roles you include in the input, those roles will be assigned to all SSO users.
Mapping Groups to Roles
By default the groups that the user passes from the IDP are being checked only upon user creation - first login via SSO. If you'd like to check for the users groups' on each login, please contact Frontegg.
You can also map IDP groups to roles and automatically assign roles to users based on the IDP group the user belongs to.
For the mapping to work, first you should configure your IDP so that the name of the group key is groups.
Then, in the SSO form in the Portal, they should enter a group name that corresponds to a group name with their IDP.
Here is an example of how to find IDP group names in Okta.
The roles that are available for mapping are from a predefined list of roles available in the application.
After configuring SSO, the connection settings can be managed through the Admin Portal.
Make sure to toggle a new connection on.
Updated 5 days ago