Single Sign On (SSO)
SSO / SAML Integrations
Integrating with Demyst's SAML service is easy!
To allow your users to log in to the Demyst platform using the same credentials they use to sign into their your services, Demyst offers a SAML SSO integration point.
The client integrating with Demyst needs to know two things from Demyst, the metadata_url and the assertion_consumer_service_url.
Demyst's metadata_url and assertion_consumer_service_url are the same no matter what organization we are integrating with. They are unique per environment (dev / stg / prod)
- metadata_url: /console/saml/metadata
- assertion_consumer_service_url: /console/saml/consume
Metadata URL Examples
Staging metadata_url : https://stg.demyst.com/console/saml/metadata
Production metadata_url : https://demyst.com/console/saml/metadata
Assertion Consumer Service (”ACS”) URL Examples
Staging assertion_consumer_service_url : https://stg.demyst.com/console/saml/consume
Production assertion_consumer_service_url : https://demyst.com/console/saml/consume
Demyst needs four things from the client to complete the integration
The integration is configured in the Demyst platform here:
https://demyst.com/app/settings
If a metadata file is available from the SAML service, Demyst can extract all these items automatically from the metadata file by using the upload function on this page:
Otherwise, the following elements should be populated as noted:
- SSO Issuer : Identifies the organization
- SSO Target URL : The url where client users go to log into the Demyst platform using their existing credentials
- SSO Cert Fingerprint : identifies the certificate used to sign SAML responses from the organization
- SSO Cert Fingerprint Algorithm : identifies the algorithm used to fingerprint the certificate
Demyst can determine the SSO Cert Fingerprint and the SSO Cert Fingerprint Algorithm from the SSO Certificate, it is not necessary to send the fingerprint and algorithm directly.
Examples:
SSO Issuer: http://www.okta.com/abc123
SSO Target URL: https://myorg.okta.com/app/some_prefix/abc123/sso/saml
SSO Cert Fingerprint: 9B:0E:BB[...]4C:0D:3A SSO
Cert Fingerprint Algorithm: http://www.w3.org/2000/09/xmldsig#sha256
Once the integration is complete, member of the organization can sign in to the Demyst platform by visiting the URL that was provided as the SSO Target URL
FAQ
- Q: With users logging in with SSO, how are we managing roles?
A: It is through the platform just as it would be with any other org. It is possible to trigger JIT (just in time) provisioning with SAML which will create the user record. - Q: Is our SSO setup Service Provider (SP) or Identity Provider (IDP) initiated?
A: IDP - The client is the identity provider, demyst is the service provider. The client initiates the SSO by visiting a URL they control, which then eventually ends up with them being logged into our service. - Q: Wow do we manage existing users in the platform when moving to SSO?
A: We have an optional setting that prevents logins using email and password, so users must use SSO to log in
This document is a good reference for integrating Demyst SAML with Azure AD - https://blogs.oracle.com/blogbypuneeth/post/steps-to-configure-saml-sso-with-azure-as-idp-and-weblogic-server-as-sp
Updated 8 months ago