OneCloud administrators are able to configure users within their company to login via Single Sign On. Through the use of SAML (Security Assertion Markup Language), you can access your OneCloud account with credentials stored by another identity provider.
Our implementation of SSO is not specific to any particular provider, but we have created documentation on how to easily integrate with the following providers:
If you are an admin user, you can configure SAML for your organization by entering the admin menu and clicking on the "Users & Groups" page:
From here, enter the SAML section by clicking on the left-hand menu:
Your Identity Provider (IdP) should provide an XML file (usually referred to as "Identity Provider metadata") to download. When you've downloaded that file, click or drag to upload it to OneCloud. Ensure that your file is a valid XML document and the file extension is .xml, or you will not be able to upload the file:
Once you've uploaded a valid file and clicked "Save", a variety of new fields should appear. First, you will be given a single sign on URL for your company. Any user that follows that link will be logged into the OneCloud platform, provided they are configured to use SSO. Below is a sample of the fields you would see once you've completed the XML upload:
The fields in the "OneCloud service provider details" section are used to configure your IdP to interact with the OneCloud platform and log you in successfully. OneCloud supports both service provider-initiated login and identity provider-initiated login by default, so there should not be any additional configuration required to allow for both types of login. Please see above for additional provider-specific documentation.
SSO is not enabled by default for existing users, so you will have to edit them in the admin panel to ensure they are bound to login via SSO. Once a user is set to login via SSO, they can no longer access the application with a username and password. For this reason, we recommend provisioning at least one admin user without SSO to ensure that provider outages do not impact your ability to access the OneCloud platform.
To configure a user to login via SSO, go to "Users & Groups" section in the admin page. From here, you can select the "Users" item on the left menu to see your list of user. Note that you must be an admin user in order to perform this function:
Click on the ellipsis menu on the right side of the user you want to edit, and click the "Edit" button that appears. From here, you'll be able to enable or disable a user's ability to use single sign on by toggling the check box.
If you made a change, a warning message will appear, letting you know that the user will have to change their password if SSO is disabled. If SSO is enabled, the user will not be able to login with their old password. Click "Save" to confirm your changes. When the change is made, users are notified individually via email.
Your users should now be able to login with SSO once this change has been made. As mentioned above, the login can be initiated from your IdP's portal or by visiting the link provided in the admin section. Once your SSO provider has been configured, any new users will have SSO enabled by default (though it can be toggled in the invite form).