Guides → Configure SSO

Incorta enables you to use your single sign-on (SSO) provider to be able to login. Using SSO requires configuring both Incorta and your SSO provider. The SSO configuration is done per tenant. If you have more than one tenant, you will have to configure each one to use your SSO. Configuring an Incorta tenant is done through the Incorta Cluster Management Console (CMC).

Incorta supports multiple SSO providers, such as Okta and Auth0, as well as providers that use the Security Assertion Markup Language 2.0 (SAML2) protocol. In addition to any other SSO provider that might not be listed that you can configure through the custom settings in the CMC.

Single Logout (SLO)

Starting 2024.1.5, Incorta supports Single Logout (SLO) for SAML2 SSO identity providers, including Azure Active Directory (AD) and OneLogin. When users sign out from Incorta, they are automatically signed out from their SAML2 SSO identity providers. In releases before 2024.1.5, when users sign out, they are signed out from Incorta only.

  • The Single Logout URL on both Incorta and the identity provider must be set to Incorta’s login page URL, for example, https://myCluster.cloud.incorta.com/incorta/!myTenant/ or https://10.10.1.5:8080/incorta/!myTenant/.
  • In the case of OneLogin, set the SAML initiator option to Service Provider.
  • Update the SSO configurations on Incorta and add the following settings:
    • onelogin.saml2.idp.single_logout_service.url: The logout URL provided in your SSO provider's metadata.xml
    • onelogin.saml2.sp.single_logout_service.url: Incorta’s login URL, for example, https://myCluster.cloud.incorta.com/incorta/!myTenant/ or https://10.10.1.5:8080/incorta/!myTenant/
    • onelogin.saml2.sp.single_logout_service.response.url: Incorta’s login URL

Configure your SSO in Incorta

To log in using your SSO, you need to configure your tenant(s) to use SSO as well as configure your SSO provider to use Incorta.

The following configuration steps are generic for how to configure an SSO provider in Incorta:

  • Open the CMC and log in.
  • Select Clusters > cluster-name > Tenants > tenant-name.
  • Select Configure.
  • Select panel, choose Security.
  • Configure the following properties to start using your SSO:
PropertyDescription
Authentication TypeSelect the authentication type that you will use for the chosen tenant. In this case, it will be SSO.
Provider TypeSelect the SSO provider you are going to use. Current available values:

  ●  SAML2
  ●  Okta
  ●  Auth0
  ●  Custom
Provider nameThis property is only available when you choose Custom as a provider type. Enter the SSO provider name that you are using.
Provider configurationsEnter the properties or XML configurations for the SSO provider you have selected.
Note

You must apply the upcoming steps whether you are configuring your SSO for the first time or upgrading your Incorta cluster.

  • From the Clusters tab, select cluster-name > Cluster Configurations > Default Tenant Configurations.
  • From the left pane, select Email.
  • Configure the Server URL Protocol, Server Name, and Server Port.

If you are configuring the SSO for the first time, you must restart Incorta services.

Note

If you are just updating the settings for the SSO you are already using, you do not need to restart Incorta services.

Refer to the respective SSO document for more information about its configuration.

Below are the common configuration properties you will need to add in the Provider configurations.

ADFS

ConfigurationDescription
onelogin.saml2.sp.entityidThe value of entityID you configured in ADFS.
onelogin.saml2.sp.assertion_consumer_service.urlThe value of Reply URL in ADFS. Use this format: https://<cluster_URL>/incorta/!<tenant-name>/
onelogin.saml2.idp.entityidThe value of the entityID attribute in your ADFS metadata .xml file.
onelogin.saml2.idp.single_sign_on_service.urlThe value of the Location attribute in the SingleSignOnService tag in ADFS metadata .xml file.
onelogin.saml2.idp.x509certThe value of the X509Certificate in ADFS metadata .xml file.
onelogin.saml2.idp.single_logout_service.urlThe logout URL provided in your SSO provider's metadata.xml
onelogin.saml2.sp.single_logout_service.urlIncorta’s login URL, for example, https://myCluster.cloud.incorta.com/incorta/!myTenant/ or https://10.10.1.5:8080/incorta/!myTenant/
For releases before 2024.1.5, a logout redirect URL was added instead of Incorta's login URL. For example, http:///MyCluster.cloud.incorta.com/incorta/logout.jsp?rediredtUrl=
onelogin.saml2.sp.single_logout_service.response.urlIncorta’s login URL, for example, https://myCluster.cloud.incorta.com/incorta/!myTenant/ or https://10.10.1.5:8080/incorta/!myTenant/

IBM CIS

ConfigurationDescription
onelogin.saml2.sp.entityidThe value of Provider ID you configured in IBM CIS.
onelogin.saml2.sp.assertion_consumer_service.urlthe value of Assertion Consumer Service URL (ACS) in CIS. Use this format: https://<cluster-URL>/incorta/!<tenant-name>/.
onelogin.saml2.idp.entityidThe value of the entityID attribute in your IBM CIS metadata .xml file.
onelogin.saml2.idp.single_sign_on_service.urlThe value of the entityID attribute in your IBM CIS metadata .xml file.
onelogin.saml2.idp.x509certThe value of the X509Certificate in IBM CIS metadata .xml file.
onelogin.saml2.idp.single_logout_service.urlThe logout URL provided in your SSO provider's metadata.xml
onelogin.saml2.sp.single_logout_service.urlIncorta’s login URL, for example, https://myCluster.cloud.incorta.com/incorta/!myTenant/ or https://10.10.1.5:8080/incorta/!myTenant/
For releases before 2024.1.5, a logout redirect URL was added instead of Incorta's login URL. For example, http:///MyCluster.cloud.incorta.com/incorta/logout.jsp?rediredtUrl=
onelogin.saml2.sp.single_logout_service.response.urlIncorta’s login URL, for example, https://myCluster.cloud.incorta.com/incorta/!myTenant/ or https://10.10.1.5:8080/incorta/!myTenant/

OneLogin

ConfigurationDescription
onelogin.saml2.idp.entityidThe value of the entityID in the EntityDescriptor tag in the SAML metadata file.
onelogin.saml2.idp.single_sign_on_service.urlThe value of the Location attribute in the SingleSignOnService tag in the SAML metadata file.
onelogin.saml2.idp.x509certThe value of the X509Certificate in the SAML metadata file.
onelogin.saml2.idp.single_logout_service.urlThe logout URL provided in your SSO provider's metadata.xml
onelogin.saml2.sp.single_logout_service.urlIncorta’s login URL, for example, https://myCluster.cloud.incorta.com/incorta/!myTenant/ or https://10.10.1.5:8080/incorta/!myTenant/
onelogin.saml2.sp.single_logout_service.response.urlIncorta’s login URL, for example, https://myCluster.cloud.incorta.com/incorta/!myTenant/ or https://10.10.1.5:8080/incorta/!myTenant/