Skip to main content

Single Sign-On (SSO)

Configure single sign-on with your identity provider for centralized authentication.

Supported Identity Providers

Strongly supports SSO integration with:

  • SAML 2.0: Okta, OneLogin, Azure AD, Google Workspace
  • OAuth 2.0/OIDC: Auth0, Keycloak, custom OAuth providers
  • LDAP/Active Directory: On-premises directory services

SAML Configuration

Prerequisites

Before configuring SAML SSO:

  1. Admin access to your identity provider
  2. Admin access to Strongly platform
  3. Metadata from your identity provider

Step 1: Configure Identity Provider

In your identity provider (Okta, Azure AD, etc.):

  1. Create new SAML application
  2. Use these settings:
    • SSO URL: https://your-domain.strongly.ai/auth/saml/acs
    • Entity ID: https://your-domain.strongly.ai
    • Name ID Format: EmailAddress
  3. Configure attribute mapping:
    • email → user.email
    • firstName → user.firstName
    • lastName → user.lastName
    • groups → user.groups (optional)
  4. Download metadata XML file

Step 2: Configure Strongly Platform

In Strongly platform:

  1. Go to SettingsAuthenticationSSO
  2. Click Configure SAML
  3. Upload identity provider metadata XML
  4. Or enter manually:
    • SSO URL: Your IdP's SSO endpoint
    • Entity ID: Your IdP's entity ID
    • X.509 Certificate: Copy from metadata
  5. Configure user provisioning:
    • Auto-Create Users: Automatically create users on first login
    • Default Role: Role for new users (typically Viewer)
    • Group Mapping: Map IdP groups to platform roles
  6. Click Save Configuration
  7. Click Test Connection to verify setup

Step 3: Enable SSO

  1. Enable SSO Required toggle
  2. Optional: Keep password login enabled for admins (fallback)
  3. Click Activate SSO
  4. Users will be redirected to IdP on next login

OAuth/OIDC Configuration

Step 1: Register Application

In your OAuth provider:

  1. Create new OAuth application
  2. Configure redirect URIs:
    • https://your-domain.strongly.ai/auth/oauth/callback
  3. Note the Client ID and Client Secret
  4. Configure scopes:
    • openid
    • profile
    • email
    • groups (if available)

Step 2: Configure Strongly

  1. Go to SettingsAuthenticationSSO
  2. Click Configure OAuth
  3. Enter OAuth settings:
    • Provider: Google, Auth0, Custom, etc.
    • Client ID: From your OAuth app
    • Client Secret: From your OAuth app
    • Authorization URL: Your provider's auth endpoint
    • Token URL: Your provider's token endpoint
    • User Info URL: Your provider's userinfo endpoint
  4. Configure user attribute mapping
  5. Click Save Configuration
  6. Test login flow

LDAP/Active Directory

Step 1: Configure LDAP Connection

  1. Go to SettingsAuthenticationLDAP
  2. Enter LDAP server details:
    • Host: ldap.company.com
    • Port: 389 (LDAP) or 636 (LDAPS)
    • Base DN: dc=company,dc=com
    • Bind DN: Service account for LDAP queries
    • Bind Password: Service account password
  3. Test connection

Set up user search filters:

  • User Filter: (objectClass=person)
  • Username Attribute: sAMAccountName or uid
  • Email Attribute: mail
  • Name Attributes: givenName, sn

Step 3: Configure Group Mapping

Map LDAP groups to platform roles:

LDAP GroupPlatform Role
cn=Platform-Admins,ou=Groups,dc=company,dc=comAdmin
cn=Developers,ou=Groups,dc=company,dc=comDeveloper
cn=Business-Users,ou=Groups,dc=company,dc=comViewer

Group/Role Mapping

Automatic Role Assignment

Map identity provider groups to platform roles:

  1. Go to SSOGroup Mapping
  2. Click Add Mapping
  3. Enter IdP group name
  4. Select platform role
  5. Click Save

Example Mappings

IdP GroupPlatform Role
platform-adminsAdmin
engineeringDeveloper
data-scienceDeveloper
stakeholdersViewer

Team Mapping

Automatically add users to teams based on IdP groups:

  1. Configure group mappings
  2. Enable Auto-Assign Teams
  3. Map groups to teams:
    • IdP group: "frontend-team" → Platform team: "Frontend"
    • IdP group: "backend-team" → Platform team: "Backend"

User Provisioning

Just-In-Time (JIT) Provisioning

Automatically create users on first login:

  1. Enable Auto-Create Users
  2. Set Default Role for new users
  3. Configure attribute mapping
  4. New users created when they first login via SSO

SCIM Provisioning

Sync users and groups from identity provider:

  1. Go to SettingsAuthenticationSCIM
  2. Click Enable SCIM
  3. Copy SCIM endpoint URL and API token
  4. In your IdP, configure SCIM integration:
    • SCIM Base URL: From Strongly platform
    • Authentication: Bearer token from Strongly
  5. Enable user and group sync
  6. Test provisioning

User Lifecycle

SCIM manages full user lifecycle:

  • User Created: User created in Strongly when added to IdP
  • User Updated: Changes in IdP sync to Strongly
  • User Deactivated: User deactivated in Strongly when removed from IdP
  • Group Changes: Team membership updated based on groups

Security Best Practices

Enforce SSO

  1. Enable SSO Required for all users
  2. Disable password login
  3. Require MFA at identity provider level
  4. Monitor login failures

Certificate Management

  • Upload valid X.509 certificates
  • Set calendar reminders for certificate expiration
  • Rotate certificates before expiration
  • Test new certificates before activating

Backup Access

Always maintain emergency admin access:

  1. Keep one admin account with password login
  2. Store credentials securely (password manager)
  3. Use only in SSO outage scenarios
  4. Audit usage of backup accounts

Session Management

Configure session settings:

  • Session Timeout: Auto-logout after inactivity (default: 8 hours)
  • Absolute Timeout: Force re-login after time (default: 24 hours)
  • Concurrent Sessions: Allow/deny multiple sessions per user

Troubleshooting

Common SAML Issues

Error: Invalid SAML Response

  • Check certificate is correct and not expired
  • Verify Entity ID matches exactly
  • Ensure SSO URL is correct

Error: User Not Found

  • Enable auto-create users
  • Check attribute mapping (email field)
  • Verify user email in IdP

Error: Authentication Failed

  • Check time sync between IdP and platform
  • Verify metadata is up to date
  • Test connection from SSO settings

Testing SSO

Before enforcing SSO for all users:

  1. Test with one user account
  2. Verify user attributes are correct
  3. Test role and team assignment
  4. Confirm logout works properly
  5. Test with different browsers

Audit Logs

Monitor SSO authentication:

  1. Go to SettingsAudit Logs
  2. Filter by authentication events
  3. Look for failed logins
  4. Review unusual login patterns
Important

Always test SSO configuration thoroughly before enforcing it. Keep a backup admin account with password login in case of SSO issues.