Guides → Configure SSO
Incorta enables you to use your single sign-on (SSO) provider to be able to login. Using SSO requires configuring both Incorta and your SSO provider. The SSO configuration is done per tenant. If you have more than one tenant, you will have to configure each one to use your SSO. Configuring an Incorta tenant is done through the Incorta Cluster Management Console (CMC).
Incorta supports multiple SSO providers, such as Okta and Auth0, as well as providers that use the Security Assertion Markup Language 2.0 (SAML2) protocol. In addition to any other SSO provider that might not be listed that you can configure through the custom settings in the CMC.
Starting 2024.1.5, Incorta supports Single Logout (SLO) for SAML2 SSO identity providers, including Azure Active Directory (AD) and OneLogin. When users sign out from Incorta, they are automatically signed out from their SAML2 SSO identity providers. In releases before 2024.1.5, when users sign out, they are signed out from Incorta only.
- The Single Logout URL on both Incorta and the identity provider must be set to Incorta’s login page URL, for example,
https://myCluster.cloud.incorta.com/incorta/!myTenant/
orhttps://10.10.1.5:8080/incorta/!myTenant/
. - In the case of OneLogin, set the SAML initiator option to Service Provider.
- Update the SSO configurations on Incorta and add the following settings:
onelogin.saml2.idp.single_logout_service.url
: The logout URL provided in your SSO provider'smetadata.xml
onelogin.saml2.sp.single_logout_service.url
: Incorta’s login URL, for example,https://myCluster.cloud.incorta.com/incorta/!myTenant/
orhttps://10.10.1.5:8080/incorta/!myTenant/
onelogin.saml2.sp.single_logout_service.response.url
: Incorta’s login URL
Configure your SSO in Incorta
To log in using your SSO, you need to configure your tenant(s) to use SSO as well as configure your SSO provider to use Incorta.
The following configuration steps are generic for how to configure an SSO provider in Incorta:
- Open the CMC and log in.
- Select Clusters > cluster-name > Tenants > tenant-name.
- Select Configure.
- Select panel, choose Security.
- Configure the following properties to start using your SSO:
Property | Description |
---|---|
Authentication Type | Select the authentication type that you will use for the chosen tenant. In this case, it will be SSO. |
Provider Type | Select the SSO provider you are going to use. Current available values: ● SAML2 ● Okta ● Auth0 ● Custom |
Provider name | This property is only available when you choose Custom as a provider type. Enter the SSO provider name that you are using. |
Provider configurations | Enter the properties or XML configurations for the SSO provider you have selected. |
You must apply the upcoming steps whether you are configuring your SSO for the first time or upgrading your Incorta cluster.
- From the Clusters tab, select cluster-name > Cluster Configurations > Default Tenant Configurations.
- From the left pane, select Email.
- Configure the Server URL Protocol, Server Name, and Server Port.
If you are configuring the SSO for the first time, you must restart Incorta services.
If you are just updating the settings for the SSO you are already using, you do not need to restart Incorta services.
Refer to the respective SSO document for more information about its configuration.
Below are the common configuration properties you will need to add in the Provider configurations.
ADFS
Configuration | Description |
---|---|
onelogin.saml2.sp.entityid | The value of entityID you configured in ADFS. |
onelogin.saml2.sp.assertion_consumer_service.url | The value of Reply URL in ADFS. Use this format: https://<cluster_URL>/incorta/!<tenant-name>/ |
onelogin.saml2.idp.entityid | The value of the entityID attribute in your ADFS metadata .xml file. |
onelogin.saml2.idp.single_sign_on_service.url | The value of the Location attribute in the SingleSignOnService tag in ADFS metadata .xml file. |
onelogin.saml2.idp.x509cert | The value of the X509Certificate in ADFS metadata .xml file. |
onelogin.saml2.idp.single_logout_service.url | The logout URL provided in your SSO provider's metadata.xml |
onelogin.saml2.sp.single_logout_service.url | Incorta’s login URL, for example, https://myCluster.cloud.incorta.com/incorta/!myTenant/ or https://10.10.1.5:8080/incorta/!myTenant/ For releases before 2024.1.5, a logout redirect URL was added instead of Incorta's login URL. For example, http:///MyCluster.cloud.incorta.com/incorta/logout.jsp?rediredtUrl= |
onelogin.saml2.sp.single_logout_service.response.url | Incorta’s login URL, for example, https://myCluster.cloud.incorta.com/incorta/!myTenant/ or https://10.10.1.5:8080/incorta/!myTenant/ |
IBM CIS
Configuration | Description |
---|---|
onelogin.saml2.sp.entityid | The value of Provider ID you configured in IBM CIS. |
onelogin.saml2.sp.assertion_consumer_service.url | the value of Assertion Consumer Service URL (ACS) in CIS. Use this format: https://<cluster-URL>/incorta/!<tenant-name>/ . |
onelogin.saml2.idp.entityid | The value of the entityID attribute in your IBM CIS metadata .xml file. |
onelogin.saml2.idp.single_sign_on_service.url | The value of the entityID attribute in your IBM CIS metadata .xml file. |
onelogin.saml2.idp.x509cert | The value of the X509Certificate in IBM CIS metadata .xml file. |
onelogin.saml2.idp.single_logout_service.url | The logout URL provided in your SSO provider's metadata.xml |
onelogin.saml2.sp.single_logout_service.url | Incorta’s login URL, for example, https://myCluster.cloud.incorta.com/incorta/!myTenant/ or https://10.10.1.5:8080/incorta/!myTenant/ For releases before 2024.1.5, a logout redirect URL was added instead of Incorta's login URL. For example, http:///MyCluster.cloud.incorta.com/incorta/logout.jsp?rediredtUrl= |
onelogin.saml2.sp.single_logout_service.response.url | Incorta’s login URL, for example, https://myCluster.cloud.incorta.com/incorta/!myTenant/ or https://10.10.1.5:8080/incorta/!myTenant/ |
OneLogin
Configuration | Description |
---|---|
onelogin.saml2.idp.entityid | The value of the entityID in the EntityDescriptor tag in the SAML metadata file. |
onelogin.saml2.idp.single_sign_on_service.url | The value of the Location attribute in the SingleSignOnService tag in the SAML metadata file. |
onelogin.saml2.idp.x509cert | The value of the X509Certificate in the SAML metadata file. |
onelogin.saml2.idp.single_logout_service.url | The logout URL provided in your SSO provider's metadata.xml |
onelogin.saml2.sp.single_logout_service.url | Incorta’s login URL, for example, https://myCluster.cloud.incorta.com/incorta/!myTenant/ or https://10.10.1.5:8080/incorta/!myTenant/ |
onelogin.saml2.sp.single_logout_service.response.url | Incorta’s login URL, for example, https://myCluster.cloud.incorta.com/incorta/!myTenant/ or https://10.10.1.5:8080/incorta/!myTenant/ |