Enabling Single Sign-On (SSO)

To enable single sign-on (SSO), follow these steps:
Locate the SSO toggle switch at the bottom of the Publish page of your game.
Switch the toggle to enable SSO for the game.


Important: Testing the SSO configuration can only be done using the direct link to your application. The SSO functionality will not work in preview mode.

SSO Configuration Options

When enabling SSO, you have three possible configuration options:

1. Use Inherited SSO Configuration

If you enable SSO but do not manually configure it within the app:
The system will use the SSO configuration defined at the workspace level.
If no configuration is available at the workspace level, it will fall back to the user-level configuration.
This allows you to manage SSO settings centrally without having to configure them separately for every game.
✅ Recommended if you want to apply the same SSO configuration across multiple games.

2. Configure SAML-Based SSO

If you choose to manually configure SAML, follow these steps:

Service Provider Details (Drimify provides these)

Service provider entity ID – Unique identifier for your game as a service provider.
Assertion Consumer Service (ACS) URL – URL where the IdP sends SAML assertions.
Single Logout Service (SLS) URL – URL used to manage single logout requests from the IdP.

These values are available once you enable SSO and must be entered into your Identity Provider (IdP).

Identity Provider Details (You must collect from your IdP)

Identity Provider Entity ID (Issuer URL) – e.g., https://idp.example.com/
Single Sign-On Service URL – e.g., https://idp.example.com/sso/saml
Single Logout Service URL – e.g., https://idp.example.com/slo/saml
X.509 Certificate – Required to verify and secure communication.
Encryption X.509 Certificate (Optional) – For encrypting SAML assertions.

Configuring Authentication Method (Optional)

When setting up Single Sign-On (SSO) in your Drimify account, you can define the authentication method ( authenticationMethod), which specifies how users authenticate with the Identity Provider (IdP). This setting allows you to enforce a particular authentication level, ensuring compliance with your organisation’s security policies.

You can choose from the following authentication methods:

Disable option – Removes this setting from the SSO configuration, preventing any specific authentication method from being enforced.
None (Allow IdP to decide) – No specific authentication method is enforced; the IdP determines the authentication mechanism.
Password Authentication – Standard username and password authentication.
Password Protected Transport – Password authentication over a protected transport layer (e.g. TLS).
X.509 Certificate Authentication – Authentication using an X.509 certificate.
PKI Authentication – Public Key Infrastructure (PKI)-based authentication.
Kerberos Authentication – Authentication via a Kerberos ticket.
Smartcard Authentication – Login using a smartcard.
Smartcard PKI Authentication – Smartcard authentication with PKI.
Time-Synchronous Token – One-time password (OTP) generated via time-synchronous tokens.
Mobile One-Factor / Two-Factor Authentication – Authentication via a mobile device, either with a single or two-factor method.
IP Address Authentication – Authenticates users based on their IP address.
IP Address with Password – Requires both IP-based authentication and a password.
Previous Session Authentication – Reuses a previously authenticated session.
Unspecified Authentication – No specific authentication method is defined.

To configure this in your form, simply select the desired method from the dropdown menu. If no method is explicitly set, the IdP will determine the authentication type.

If unsure, use None to let your IdP control the authentication method.

3. Configure OAuth-Based SSO

Alternatively, you can use OAuth instead of SAML for authentication.

OAuth Provider Options

You can select one of the following:
Keycloak
Custom

If using Keycloak, you’ll need:

Client ID
Client Secret
Keycloak Server URL
Keycloak Realm
Keycloak Version

If using a Custom OAuth provider, you’ll need:

Client ID
Client Secret
Authorization URL
Access Token URL
Resource Owner URL
Scopes (e.g., openid profile email)
ID Field (e.g., sub)
Email Field (e.g., email)
First Name Field (e.g., given_name)
Last Name Field (e.g., family_name)

Step-by-Step Summary

Enable SSO: Toggle the SSO switch in the game’s publish section.
Choose configuration method:

Use inherited workspace/user configuration, or
Manually configure SAML or OAuth.

Retrieve service provider details (if using SAML).
Enter Identity Provider or OAuth provider settings.
Save and test configuration using the direct application link (not preview mode).

Important Notes

🔐 Plan Requirement: Ensure your subscription includes the Premium SSO option.
🔗 Direct Link Testing: SSO only works through the direct app link, not in preview.
🔧 SSO Game Detail Setup: Ensure your SSO platform accepts calls from Drimify.
📋 Reference Guide: See the SSO configuration guide for detailed help.

Troubleshooting Tips

🛡️ SAML-Specific Issues

Incorrect ACS URL or Entity ID
Double-check that the Assertion Consumer Service (ACS) URL and Entity ID in your Identity Provider (IdP) match those provided by Drimify in your SSO configuration.
Invalid or Expired X.509 Certificate
Ensure the X.509 certificate added to your configuration is valid and has not expired. If it changes, be sure to update it in the configuration.
Authentication Method Not Supported
If you're enforcing a specific authentication method (like Smartcard or Kerberos) and login fails, try setting the method to "None" to let the IdP decide.
SAML assertions not being accepted
Confirm that your IdP is sending the assertion in the correct format (typically urn:oasis:names:tc:SAML:2.0:assertion) and that it includes the expected user fields (e.g., email).

🔐 OAuth-Specific Issues

Invalid Client ID or Secret
Make sure your Client ID and Client Secret are correctly copied from your OAuth provider dashboard. An incorrect pair will prevent authentication.
Wrong URLs (Authorization / Token / User Info)
Confirm that the Authorization URL, Access Token URL, and Resource Owner (User Info) URL are correct and publicly accessible. Typos or incorrect environments (e.g., dev vs prod) are common culprits.
Missing or Incorrect Scope
Ensure you’ve specified the correct scope(s) required to retrieve user information (e.g., openid email profile). Missing scopes may cause incomplete user data.
Missing or Misnamed Fields
If users are not being identified correctly, check that your ID field, Email field, First name, and Last name field names match the structure returned by your OAuth provider.

🚨 General Issues (Both SAML & OAuth)

SSO works in preview but fails in the direct link (or vice versa)
SSO only works in the live application link, not the preview. Always test using the direct app link.
SSO not triggering
Ensure:
SSO is enabled for the game.
Your plan includes the Premium SSO option.
Your SSO provider accepts calls from Drimify's servers.
Fallback configuration not working
If you're relying on the workspace- or user-level configuration, make sure that one is correctly set up and active. Otherwise, configure SAML or OAuth directly within the app.
App not receiving the right user identity
Check that your IdP (SAML) or OAuth provider is returning a consistent, unique user ID, email, or identifier that matches what's configured in your app.

Updated on: 29/05/2025