Configure Single Sign On

Cymmetri Single Sign On is a module that allows the end-user to simply authenticate once into the Cymmetri Identity platform web portal, and then access all the applications assigned to them without having to log in again into the target application.

The following article explains how to configure any application added to be managed in your Cymmetri Identity platform deployment to support Single SignOn mechanism.

Warning: Single SignOn Module needs to be enabled for your tenant for this configuration to be enabled and for Single SignOn to work.

Supported Single SignOn Mechanisms

Let us first visit the various supported Single SignOn Mechanisms available for the Cymmetri Identity platform.

SAML 2.0 SAML 2.0 (Security Assertion Markup Language) is a mechanism used primarily by web applications to share messages between each other to perform a Single SignOn for the end user.

OpenID Connect OpenID Connect refers to an authentication mechanism that is derived from the OpenID family of Single SignOn mechanisms. It enables the system to perform Single SignOn for a wide range of target application types (such as - Web applications, Mobile Native Applications, Desktop based Applications). It is therefore more versatile than SAML 2.0, and is more commonly used for mobile applications. It is also the mechanism used typically for social logins.

Warning: Please note that for using the above mentioned two mechanisms (SAML 2.0 and OpenID Connect), the managed application must support the corresponding mechanism.

REST API based SSO The above two Single SignOn mechanisms are based on well-accepted and standard mechanisms. However, there might be a few legacy applications in your organization, that for various reasons may not be able to integrate and support the above mentioned protocols, we have introduced Custom API-based SSO as an alternative Single SignOn Mechanism. This requires a few changes in the managed application code which will be referenced in the following section.

Note: Cymmetri Identity platform supports Custom API-based SSO mechanism. However, it is highly recommended to migrate to the aforementioned SAML 2.0 and OpenID Connect mechanisms.

Configuring Applications for Single SignOn

To allow your end-users to access applications managed by your Cymmetri Identity platform deployment, the applications must be configured for Single SignOn, and then assigned the application.

Redirect to Applications without Single SignOn

While it is not recommended for obvious reasons, as an administrator you may configure an application to be used simply for provisioning and redirection, without performing Single SignOn.

Note: The following section is to be used for configure only applications for which you do not need to perform Single SignOn. In case you need to configure any of the following Single SignOn mechanisms, you may skip this section and refer to the corresponding configuration in your chosen method of Single SignOn.

Configuring the Application URL

For configuring an application to simply redirect the enduser to the landing page of the managed application -

Once in the applications menu, click on the application tile for which you need to configure the landing page URL and then on the left side menu, select the SignOn menu item.

Toggle the “Enable Single Sign-On (SSO)” switch to open the corresponding configuration options.

Enter the landing page URL in the “Application URL” text box and click the adjoining “Save” button.

The popup indicating “SSO Updated Successfully” will indicate that the Application URL has been configured successfully for your application.

Conclusion

Assigning the application to an end user will show an application tile as shown below:

Clicking on the application tile, will redirect the user to the assigned landing page URL.