Guides → Configure SSO

Incorta enables you to use your single sign-on (SSO) provider to be able to login. Using SSO requires configuring both Incorta and your SSO provider. The SSO configuration is done per tenant. If you have more than one tenant, you will have to configure each one to use your SSO. Configuring an Incorta tenant is done through the Incorta Cluster Management Console (CMC).

Incorta supports multiple SSO providers, such as Okta and Auth0, as well as providers that use the Security Assertion Markup Language 2.0 (SAML2) protocol. In addition to any other SSO provider that might not be listed that you can configure through the custom settings in the CMC.

Configure your SSO in Incorta

To login using your SSO, you need to configure your tenant(s) to use SSO as well as configure your SSO provider to use Incorta.

The following configuration steps are generic for how to configure an SSO provider in Incorta:

  • Open the CMC and login.
  • Select Clusters > cluster-name > Tenants > tenant-name.
  • Select Configure.
  • Select panel, choose Security.
  • Configure the following properties to start using your SSO:
PropertyDescription
Authentication TypeSelect the authentication type that you will use for the chosen tenant. In this case, it will be SSO.
Provider TypeSelect the SSO provider you are going to use. Current available values:

  ●  SAML2
  ●  Okta
  ●  Auth0
  ●  Custom
Provider nameThis property is only available when you choose Custom as a provider type. Enter the SSO provider name that you are using.
Provider configurationsEnter the properties or XML configurations for the SSO provider you have selected.
Note

You must apply the upcoming steps whether you are configuring your SSO for the first time or upgrading your Incorta cluster.

  • From the Clusters tab, select cluster-name > Cluster Configurations > Default Tenant Configurations.
  • From the left pane, select Email.
  • Configure the Server URL Protocol, Server Name, and Server Port.

If you are configuring the SSO for the first time, you must restart Incorta services.

Note

If you are just updating the settings for the SSO you are already using, you do not need to restart Incorta services.

Refer to the respective SSO document for more information about its configuration.

Below are the common configuration properties you will need to add in the Provider configurations.

ADFS

ConfigurationDescription
onelogin.saml2.sp.entityidThe value of entityID you configured in ADFS.
onelogin.saml2.sp.assertion_consumer_service.urlThe value of Reply URL in ADFS. Use this format: https://<Incorta-instance-address>/incorta/!<tenant-name>/
onelogin.saml2.sp.single_logout_service.urlYour Incorta URL plus a logout redirect, For example, http:///<Incorta-instance-address>/incorta/logout.jsp?rediredtUrl=
onelogin.saml2.idp.entityidThe value of the entityID attribute in your ADFS metadata .xml file.
onelogin.saml2.idp.single_sign_on_service.urlThe value of the Location attribute in the SingleSignOnService tag in ADFS metadata .xml file.
onelogin.saml2.idp.single_logout_service.url.https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
onelogin.saml2.idp.x509certThe value of the X509Certificate in ADFS metadata .xml file.

IBM CIS

ConfigurationDescription
onelogin.saml2.sp.entityidThe value of Provider ID you configured in IBM CIS.
onelogin.saml2.sp.assertion_consumer_service.urlthe value of Assertion Consumer Service URL (ACS) in CIS. Use this format: https://<Incorta-instance-address>/incorta/!<tenant-name>/.
onelogin.saml2.sp.single_logout_service.urlYour Incorta URL plus a logout redirect, For example, http:///<Incorta-instance-address>/incorta/logout.jsp?rediredtUrl=.
onelogin.saml2.idp.entityidThe value of the entityID attribute in your IBM CIS metadata .xml file.
onelogin.saml2.idp.single_sign_on_service.urlThe value of the entityID attribute in your IBM CIS metadata .xml file.
onelogin.saml2.idp.single_logout_service.urlhttps://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
onelogin.saml2.idp.x509certThe value of the X509Certificate in IBM CIS metadata .xml file.

OneLogin

ConfigurationDescription
onelogin.saml2.idp.entityidThe value of the entityID in the EntityDescriptor tag in the SAML metadata file.
onelogin.saml2.idp.single_sign_on_service.urlThe value of the Location attribute in the SingleSignOnService tag in the SAML metadata file.
onelogin.saml2.idp.single_logout_service.urlhttps://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
onelogin.saml2.idp.x509certThe value of the X509Certificate in the SAML metadata file.