Pular para o conteúdo principal

Configuring SSO

Enable Single Sign-On (SSO) to let users authenticate with your organization's Identity Provider.

Prerequisites

  • Administrative access to Console
  • Access to your Identity Provider (IdP) configuration
  • IdP details (Client ID, Secret, or SAML metadata)

Choosing a Protocol

ProtocolBest ForCommon Providers
OIDCModern applicationsOkta, Auth0, Azure AD, Google
SAML 2.0Legacy systemsActive Directory, Shibboleth

Configuring OIDC

Step 1: Get IdP Details

From your Identity Provider, collect:

  • Issuer URL (e.g., https://your-domain.okta.com)
  • Client ID
  • Client Secret
  • Redirect URI: https://console.solucao42.com.br/auth/callback

Step 2: Configure in Console

  1. Go to SettingsSingle Sign-On
  2. Select OIDC as protocol
  3. Fill in the details:
    • Issuer URL
    • Client ID
    • Client Secret
  4. Map user attributes:
    • Email → email
    • Name → name
  5. Click Save

Step 3: Test the Configuration

  1. Click Test SSO
  2. You'll be redirected to your IdP
  3. Log in with test credentials
  4. Verify you're redirected back to Console
  5. Check user details are correct

Step 4: Enable for Organization

  1. Enable SSO Enabled
  2. (Optional) Enable Require SSO to disable other login methods
  3. Click Save Changes

Configuring SAML

Step 1: Get SAML Metadata

From your IdP:

  • Download SAML metadata XML file
  • Or note the metadata URL

Step 2: Configure in Console

  1. Go to SettingsSingle Sign-On
  2. Select SAML 2.0 as protocol
  3. Choose upload method:
    • Metadata URL: Enter the URL
    • Upload XML: Upload metadata file
  4. Console will parse the metadata automatically

Step 3: Configure Your IdP

Provide these values to your IdP admin:

  • Entity ID: https://console.solucao42.com.br
  • ACS URL: https://console.solucao42.com.br/auth/saml/callback
  • Name ID Format: Email address

Step 4: Map Attributes

Map SAML attributes to Console fields:

  • Email → email or nameID
  • Name → displayName or name
  • Groups (optional) → groups

Step 5: Test and Enable

  1. Click Test SAML
  2. Verify authentication works
  3. Enable SSO for your organization

Just-In-Time (JIT) Provisioning

Automatically create users on first SSO login:

  1. Go to SettingsSingle Sign-On
  2. Enable JIT Provisioning
  3. Set default groups for new users
  4. Save changes

Benefits:

  • No need to pre-invite users
  • Users created automatically on first login
  • Assigned to default groups automatically

SSO Enforcement

Require all users to use SSO:

  1. Configure and test SSO first
  2. Enable Require SSO for all users
  3. Other login methods are disabled
  4. Users must authenticate via IdP
aviso

Test SSO thoroughly before enforcing it to avoid locking out users.

Troubleshooting

Common Issues

"Invalid issuer" error:

  • Verify Issuer URL is correct
  • Check for trailing slashes

"Redirect URI mismatch":

  • Ensure redirect URI in IdP matches exactly
  • Check for http vs https

"Attribute mapping failed":

  • Verify IdP sends required attributes (email)
  • Check attribute names match configuration

Users can't log in after enabling SSO:

  • Verify SSO is working via test button
  • Check user exists in IdP
  • Review Console audit logs

Next Steps

Need Help?

Contact [email protected] for SSO configuration assistance.