Security Assertion Markup Language (SAML) based single sign-on (SSO) is a standard for exchanging authentication data between an identity provider and a service provider. With Automox, SAML-based single sign-on enables organizations to provide their users with a single point of authentication the Automox Console using their corporate credentials.
When configured, Automox SSO offers two separate authentication flows: Automox-to-IDP authentication and IDP-to-Automox authentication.
The Automox-to-IDP authentication flow allows users to provide their email address from the Automox Console login page, and be redirected to their configured Identity Provider (IDP) for authentication before being redirected back to the Automox Console as the expected user.
The IDP-to-Automox authentication flow allows users to log into the Automox Console directly from their IDP dashboard. This is a common flow in organizations that utilize more than one SSO-enabled service.
Configuring Single Sign-On
The first step to getting started with Automox SSO is to enable the feature. This can be done by navigating to the My Profile section of the Settings page and enabling "SAML." This will disable 2FA if enabled:
Service Provider Settings
Once checked, a SAML SSO configuration modal will be displayed asking for the following information to be provided by your Identity Provider:
- Entity ID
- x509 Certificate
- Login URL
In some cases, an Identity Provider will provide this information in the form of an XML file instead. If you would prefer to configure Automox SSO using the provided XML, this can be accomplished by clicking on the Toggle XMLlink within the SAML SSO configuration modal.
Additionally, there are two optional fields that can be entered as well:
- Logout URL Redirect - The Automox SAML feature does not currently support SAML-based Single Log-Out (SLO), however to help improve usability you can provide a URL that users will be redirected to after logging out of the Automox Console.
- Automatic Account Provisioning - While Automox SSO will match authenticating users' email addresses to validate SSO logins, by default it does not create accounts for users that do not yet exist. By checking the "Provision New Users" box, users that are unknown to Automox whill be automatically created and added as a new organization user when attempting to authenticate for the first time.
Identity Provider Settings
In order to provide a seamless integration, the Automox SAML SSO feature expects the data provided by your Identity Provider to appear in a specific format, as well as some additional attributes when automatic account provisioning is enabled:
Service Provider (SP) Settings
- Name ID Format: Persistent
- Application Username: Email
- firstName: The first name of the authenticating user
- lastName: The last name of the authenticating user