Manage single sign-on

Configure IdP information

Configure your IdP information before enabling SSO.

1. Log on to the CloudSSO console.

2. In the left-side navigation pane, click Settings.

3. On the User Setting tab, in the SSO Logon section, click Configure IdP under IdP Information.

4. In the Configure IdP dialog box, select Upload Metadata File or Manual Configuration, and then provide the IdP information. Get the metadata file or configuration details from your identity provider.

   • Upload Metadata File

     Click Upload File to upload the IdP metadata file.

   • Manual Configuration

     • Entity ID: The identifier for the identity provider.

     • Login URL: The logon URL of the identity provider.

     • Certificate: The certificate that the identity provider uses to sign SAML responses. X.509 certificates in PEM format are supported. You can click Upload Certificate to upload the certificate from your identity provider.

5. Click OK.

Update IdP information

You can update IdP information regardless of whether SSO is enabled. However, updating while SSO is enabled may cause SSO to fail if the new configuration does not match. Proceed with caution.

1. In the IdP Information section, click Configure IdP.

2. In the Configure IdP dialog box, select a configuration method, modify the configuration, re-upload a certificate or metadata file, and then click OK.

Clear IdP information

You can clear IdP information only when SSO is disabled.

1. In the IdP Information section, click Clear IdP Information.

2. In the Clear IdP Information dialog box, click OK.

Rotate SAML signing certificates

Periodically rotate the SAML signing certificate from your IdP. Upload a new certificate before the old one expires. During the transition, CloudSSO validates SAML signatures against both certificates and trusts the sign-in if either passes. After confirming the new certificate is active and the old one is no longer in use, delete the old one.

1. In the IdP Information section, click Manage to the right of SAML Signature Certificate.

2. In the Certificate dialog box, rotate the SAML signing certificate.

   1. Click Upload New Certificate to upload the new certificate obtained from your corporate IdP.

   2. Confirm that your corporate IdP uses the new certificate to sign SAML responses, then sign in to the CloudSSO user portal via SSO to verify.

   3. After confirming the new certificate is active and the old one is retired, click Delete in the Actions column for the old certificate.

   4. Click OK to complete the SAML signing certificate rotation.

Obtain SP metadata

To configure SSO in your IdP, download the SP metadata file from the SP Information section, or copy the ACS URL and Entity ID for manual IdP configuration.

Set the SAML request signature algorithm

In the SP Information section, click Edit next to Signature Algorithm for IdP Request to set the SAML request signing algorithm. The default is SHA1. You can also select SHA256.

Set SAML assertion encryption

In the SP Information section, click Edit next to SAML Assertion Encryption for IdP Response to specify whether the IdP must encrypt SAML assertions. If you select Encrypt , the SP must decrypt the assertion.

Manage service provider (SP) CA certificates (invitational preview)

CloudSSO uses self-signed certificates by default. If your organization requires SP signing certificates from a trusted certificate authority (CA), apply for a CA certificate.

Enable single sign-on

After you configure the IdP information, you can enable SSO.

1. On the User Setting tab, in the SSO Logon section, turn on the SSO switch.

2. In the Enable SSO Logon dialog box, click OK.

Disable single sign-on

1. On the User Setting tab, in the SSO Logon section, turn off the SSO switch.

2. In the Disable SSO Logon dialog box, click OK.