Single Sign-On (SSO) - Main Configuration
Enabling Single Sign-On (SSO)
To enable Single Sign-On (SSO), follow these steps:
- Locate the SSO toggle switch in your authentication settings.
- Switch the toggle to enable SSO.
SSO Configuration Options
1. Configure SAML-Based SSO
If you choose to use SAML, you’ll need to configure both Drimify’s service provider details and your identity provider’s details.
Service Provider Details (provided by Drimify):
- Entity ID – Unique identifier for your configuration.
- ACS (Assertion Consumer Service) URL – Where the IdP sends SAML assertions.
- SLS (Single Logout Service) URL – Handles logout requests.
Identity Provider Details (provided by you):
- Entity ID (Issuer) – e.g.,
https://idp.example.com/
- Single Sign-On Service URL – e.g.,
https://idp.example.com/sso/saml
- Single Logout Service URL – e.g.,
https://idp.example.com/slo/saml
- X.509 Certificate – Required for validating SAML responses.
- Encryption Certificate (optional) – For encrypting assertions.
2. Authentication Method (Optional)
You can optionally define an authenticationMethod
to enforce a specific level of authentication when users log in via SSO.
Available methods:
- None (Let IdP decide)
- Password / Password over TLS
- X.509 Certificate
- PKI Authentication
- Kerberos
- Smartcard / Smartcard PKI
- Time-synchronous token (OTP)
- Mobile (1FA / 2FA)
- IP Address only / IP + Password
- Previous session
- Unspecified
3. Configure OAuth-Based SSO
You can also configure SSO using an OAuth provider.
Supported OAuth options:
- Keycloak
- Custom provider
For Keycloak:
- Client ID
- Client Secret
- Keycloak Server URL
- Realm
- Version
For Custom OAuth:
- Client ID
- Client Secret
- Authorization URL
- Access Token URL
- Resource Owner (User Info) URL
- Scopes (e.g.,
openid
,profile
,email
) - ID Field (e.g.,
sub
) - Email Field (e.g.,
email
) - First Name Field (e.g.,
given_name
) - Last Name Field (e.g.,
family_name
)
Step-by-Step Summary
- Enable SSO via the toggle.
- Choose a configuration method:
- Manually configure SAML or OAuth.
- Enter required details (depending on the method).
- Save and test using the direct application link.
Important Notes
- 🔐 Plan Requirement: Your subscription must include the Premium SSO option.
- 🔗 Test using direct link: Preview mode does not support SSO.
- 🛠️ Check your SSO platform: Ensure your IdP or OAuth provider allows requests from Drimify.
Troubleshooting Tips
SAML-Specific
- ✅ ACS URL / Entity ID mismatch: Double-check these values in your IdP.
- 📅 Expired Certificate: Update the X.509 certificate if it’s expired or changed.
- 🚫 Unsupported Authentication Method: Try setting it to "None" if login fails.
- 📥 SAML assertion not accepted: Ensure it's in the correct format and includes required fields (like email).
OAuth-Specific
- ❌ Invalid Client ID/Secret: Double-check credentials.
- 🌐 Incorrect URLs: Ensure all URLs are accurate and accessible.
- 🔍 Missing Scopes: Confirm that the required scopes are included.
- 🧩 Missing Field Mappings: Match field names with your OAuth provider’s user info response.
General Issues
- ⚠️ SSO only works via direct link: Avoid testing in preview.
- 🔄 SSO not triggering: Ensure it’s enabled and your plan includes the feature.
- 🧭 User data mismatch: Confirm your IdP or OAuth provider returns a valid, unique user identifier.
Updated on: 29/05/2025
Thank you!