Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

FlexDeploy can be integrated with a single sign-on service using various options like OpenID Connect, SAML, OAuth etc. You can use an external service like Okta, Microsoft Azure AD, and many more, or use existing corporate single sign-on solution. Note that FlexDeploy does not provide single sign-on and multi-factor authentication services. 

Integration mechanisms supported are OpenID Connect, SAML, OAuth. We have verified this using Okta and Microsoft Azure AD using OpenID Connect. For other OpenID Connect providers and other types of integrations, please reach out to us using the support portal.

A FlexDeploy user record will still be created when users from your single sign-on service performs login for the first time. See New User Process on the Realms page.

Important points about this integration:

  • The REST API still requires logging in using local realm users, or API Tokens. API Tokens can be created for single sign-on users.

  • Once you enable single sign-on, you will not be able to configure or use LDAP Realms for authentication and authorization. You can still login using local users, which can be useful if there are issues with single sign-on provider.

You can further secure this by enabling multi-factor authentication, where users are granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism. This will not be discussed here as it will be done on your single sign-on provider.

Even after enabling single sign-on, you will be able to log in using local users if necessary. If you want to log in with local users, then navigate directly to https://FLEXDEPLOYHOST:FLEXDEPLOYPORT/flexdeploy/next/#/login.

Previously single sign-on was configured using configuration file. Customers using single sign-on using configuration file with previous versions of FlexDeploy will automatically be migrated to SSO Realm.

If an SSO Realm is enabled, no LDAP realms are allowed and users are directed to login with single sign-on provider instead of through the normal FlexDeploy login page.

If there is an issue logging in with SSO, or you want to login as an internal user such as fdadmin, go to the page flexdeploy/next/#/login.

Configuring an SSO Realm

If you had an fdsso.config file setup previously, it will automatically be upgraded to an SSO Realm. Starting with FlexDeploy 7.0, SSO Realms are seen in the UI. The file is no longer needed after the first startup of 7.0+.

Only FlexDeploy Administrators can update Realm settings.

In order to enable or disable single sign-on, use Enable Single Sign-On switch.

When you enable single sign-on, a new SSO realm will be populated with a sample configuration, and you will definitely need to configure it to your needs. You can also delete all details (see General section below), and press CTRL+Space to choose another sample.

It’s OK if the provider isn’t the same as yours, but choose either SAML or OIDC correctly.

Other providers are fine to use!

You can make credentials for any sensitive values and include them in the script.

Here are some pages of information about some identity providers that we have tested more thoroughly and documented. FlexDeploy 8.0 also allows mapping of roles/groups in single sign-on provider to FlexDeploy groups, see SSO Realm Group Mapping for more details.

  • No labels