SSO authentication
Single sign-on (SSO) can be configured organization-wide to allow Conductor users to log in using a delegated identity provider (IdP). You can use the SSO IdP of your choice provided they support the SAML 2.0 protocol.
Configuring an SSO Connection does not override the Conductor native authentication. If a user signs-in through SSO without previously being invited to the Conductor organization, their login will be rejected when trying to access the Conductor console.
Configuring an SSO Connection will force users whose email address matches the configured Login Domain to log in via the configured SAML Identity Provider. Users who log in with an email address that does not match the Login Domain will not be routed through SSO and can access the Conductor console as normal.
Single sign-on is only available for customers who have added it to their Conductor Enterprise Contract.
Create SSO Connection
To configure an SSO Connection you need to copy a few values from your IdP into Conductor. The input values required are described below.
- Connection Type: The only supported IdP protocol today is SAML 2.0 (samlp).
- Name: A descriptive name of the SSO connection.
- Email Domain: The domain name used to enforce SSO for Conductor users. This should belong to your organization and match the user's email address.
- Sign In Endpoint: Login URL from your identity provider.
- Sign Out Endpoint: Optional logout URL from your identity provider used to terminate multiple authentication sessions using the single logout (SLO) feature.
- Signing Certificate file: Signing certificate file from your identity provider.
The following values will need to be copied into your identity provider:
- Callback URL (Assertion Customer Service URL): Automatically generated URL to which the identity provider sends the SAML response.
- Entity ID: Automatically generated globally unique ID for the identity provider that performs SAML authentication assertions.