Skip to main content

SSO authentication

Single sign-on (SSO) can be configured organization-wide to allow Conductor users to log in using a delegated identity provider (IdP). You can use the SSO IdP of your choice provided they support the SAML 2.0 protocol.

Configuring an SSO Connection does not override the Conductor native authentication. If a user signs-in through SSO without previously being invited to the Conductor organization, their login will be rejected when trying to access the Conductor console. Thus a user will be have to be invited to both Conductor and the configured IDP for login to be successful.

Configuring an SSO Connection will force users whose email address matches the configured Login Domain to log in via the configured SAML Identity Provider. Users who log in with an email address that does not match the Login Domain will not be routed through SSO and can access the Conductor console as normal.

Note

Single sign-on is only available for customers who have added it to their Conductor Enterprise Contract.

Create SSO Connection

  1. Reach out to your Diagrid Customer Success representative providing them with the email domain that you want to enable for SSO. For security reasons Diagrid needs to whitelist this domain in the backend.

  2. To configure an SSO Connection you need to copy a few values from your Identity Provider (IdP) into Conductor. The input values required are described below.

  • Connection Type: The only supported IdP protocol today is SAML 2.0 (samlp).
  • Name: A descriptive name of the SSO connection.
  • Email Domain: The domain name used to enforce SSO for Conductor users. This should belong to your organization and match the user's email address in the format @email.com.
  • Sign In Endpoint: Login URL from your identity provider.
  • Sign Out Endpoint: Optional logout URL from your identity provider used to terminate multiple authentication sessions using the single logout (SLO) feature.
  • Signing Certificate file: Signing certificate file from your identity provider (.cer or .pem format).

The following values will need to be copied into your IDP:

  • Callback URL (Assertion Customer Service URL): Automatically generated URL to which the identity provider sends the SAML response.
  • Entity ID: Automatically generated globally unique ID for the identity provider that performs SAML authentication assertions.
Note

For Okta, the SAML configuration requires the user.email attribute to be added in Attribute Statements, otherwise user login will fail.

  1. Save the SSO connection details and attempt to login to Conductor by navigating to https://conductor.diagrid.io/ in an in-private browser window. On a user’s first login there will always be two login attempts required. This is expected and will be indicated by the requires_login_again message.