Single Sign-On (SSO) - Main Configuration

Enabling Single Sign-On (SSO)

To enable Single Sign-On (SSO), follow these steps:
Locate the SSO toggle switch in your authentication settings.
Switch the toggle to enable SSO.

⚠️ Important: You can only test your SSO configuration using the direct link to your application. SSO will not work in preview mode.

SSO Configuration Options

1. Configure SAML-Based SSO

If you choose to use SAML, you’ll need to configure both Drimify’s service provider details and your identity provider’s details.

Service Provider Details (provided by Drimify):

Entity ID – Unique identifier for your configuration.
ACS (Assertion Consumer Service) URL – Where the IdP sends SAML assertions.
SLS (Single Logout Service) URL – Handles logout requests.

These values will appear once SSO is enabled and must be added to your Identity Provider (IdP).

Identity Provider Details (provided by you):

Entity ID (Issuer) – e.g., https://idp.example.com/
Single Sign-On Service URL – e.g., https://idp.example.com/sso/saml
Single Logout Service URL – e.g., https://idp.example.com/slo/saml
X.509 Certificate – Required for validating SAML responses.
Encryption Certificate (optional) – For encrypting assertions.

2. Authentication Method (Optional)

You can optionally define an authenticationMethod to enforce a specific level of authentication when users log in via SSO.

Available methods:

None (Let IdP decide)
Password / Password over TLS
X.509 Certificate
PKI Authentication
Kerberos
Smartcard / Smartcard PKI
Time-synchronous token (OTP)
Mobile (1FA / 2FA)
IP Address only / IP + Password
Previous session
Unspecified

If you're unsure, select None to let your Identity Provider determine the authentication mechanism.

3. Configure OAuth-Based SSO

You can also configure SSO using an OAuth provider.

Supported OAuth options:

Keycloak
Custom provider

For Keycloak:

Client ID
Client Secret
Keycloak Server URL
Realm
Version

For Custom OAuth:

Client ID
Client Secret
Authorization URL
Access Token URL
Resource Owner (User Info) URL
Scopes (e.g., openid, profile, email)
ID Field (e.g., sub)
Email Field (e.g., email)
First Name Field (e.g., given_name)
Last Name Field (e.g., family_name)

Step-by-Step Summary

Enable SSO via the toggle.
Choose a configuration method:

Manually configure SAML or OAuth.

Enter required details (depending on the method).
Save and test using the direct application link.

Important Notes

🔐 Plan Requirement: Your subscription must include the Premium SSO option.
🔗 Test using direct link: Preview mode does not support SSO.
🛠️ Check your SSO platform: Ensure your IdP or OAuth provider allows requests from Drimify.

Troubleshooting Tips

SAML-Specific

✅ ACS URL / Entity ID mismatch: Double-check these values in your IdP.
📅 Expired Certificate: Update the X.509 certificate if it’s expired or changed.
🚫 Unsupported Authentication Method: Try setting it to "None" if login fails.
📥 SAML assertion not accepted: Ensure it's in the correct format and includes required fields (like email).

OAuth-Specific

❌ Invalid Client ID/Secret: Double-check credentials.
🌐 Incorrect URLs: Ensure all URLs are accurate and accessible.
🔍 Missing Scopes: Confirm that the required scopes are included.
🧩 Missing Field Mappings: Match field names with your OAuth provider’s user info response.

General Issues

⚠️ SSO only works via direct link: Avoid testing in preview.
🔄 SSO not triggering: Ensure it’s enabled and your plan includes the feature.
🧭 User data mismatch: Confirm your IdP or OAuth provider returns a valid, unique user identifier.

Updated on: 29/05/2025