Empower your customers to integrate with enterprise identity providers.
This guide shows how your customers can access the SSO settings in the Admin Portal and configure their identity provider.
The basic steps are:
Follow the guides for adding SSO in the Builder.
The guides explain how to enable SSO by turning on one or more SSO standards in the Builder.
The guides also explain how to configure each standard. You need to configure each standard that you enable in the Builder.
Here are links to the configuration guides.
After enabling and configuring SSO for the Login Box, enable SSO on the Builder's Collaboration page.
Go to Home ➜ Builder ➜ Collaboration.
Turn on SSO by toggling the SSO switch to on.
When toggled on, in the preview of the Admin Portal you should see the SSO option appear in the sidebar.
Commit any changes and publish them before moving on. Read about editing builder settings.
With SSO configured in the Builder for both the Login Box and Collaboration, your customers can configure their identity provider in the Admin Portal.
Customers need information from their IDP to complete this step. They need either the XML file or the SSO Endpoint and Public Certificate. See guides below for help finding that information for specific IDPs.
Your customer should go to the Admin Portal ➜ SSO.
To access the Admin Portal, review the Admin Portal introductory guide.
Ensure that a user can access SSO in the Admin Portal by assigning them a role with SSO permissions.
Click the add new button to configure an identity provider.
We recommend selecting automatic. It is the same as manual but less prone to implementation errors.
After selecting automatic, the customer needs to upload the XML file from their identity provider.
If the IDP does not offer an XML download, the customer may need to copy the XML data from the IDP and save it to an .xml file then upload that file to the Admin Portal.
If the customer selects manual, they need to enter the SSO Endpoint and Public Certificate from the identity provider.
For examples and explanations, follow the relevant configuration guide below for your SSO standard and identity provider.
After configuring the identity provider, the customer needs to claim one or more domains.
The customer should claim a domain if users are using Frontegg to sign in to an application hosted on that domain.
The customer needs to copy the DNS record info into a new TXT record with their DNS provider.
Customers can configure multiple domains. This might be useful if you have multiple environments for development or multiple production applications on separate domains.
Manage which users can log in using SSO based on their role and automatically IDP groups to Frontegg roles.
The customer can add default SSO roles from the existing list of roles.
Add and remove roles for customers to assign to users.
The customer can also map IDP groups to Frontegg roles to automatically assign Frontegg roles to users based on which IDP group the user belongs to.
If the customer maps groups to roles, then they should:
- Enter a group name that corresponds to a group name with their IDP
- Consider making that role a default SSO role if that groups should have SSO authorization
The customer has now configured SSO. They can manage the settings through the Admin Portal.
Be sure to toggle new connection on.
Updated about 1 month ago