SAML Integration
AutoCloud supports organization single sign-on authentication using the SAML protocol. SSO (Single Sign-On) streamlines the login process, since users don't need to create a new account or remember another set of login credentials for AutoCloud. Organziations may configure their SAML configuration via the organization settings page, allowing AutoCloud organization administrators to connect their SAML Identity Provider (IdP) to their AutoCloud account. This allows the use of existing credentials to authenticate and access your AutoCloud account.
Prerequisites
Before you can connect your IdP to AutoCloud, you will need the following:
- A valid account with a SAML Identity Provider (IdP)
- Organization admin rights your AutoCloud organization
- Your IdP's signing certificate and sign-on url
Note: AutoCloud requires that your IdP support both SAML response signing and SAML assertion signing.
Getting Started
Currently, we only support self-service connection for SAML. To get started, navigate to AutoCloud's single sign-on settings page. Before you begin configuring your SAML IdP, make note of your AutoCloud organization ID, which appears below the organization name:
Connecting Your SAML IdP
Each identity provider's user interface, terminology, and default configuration settings are slightly different. To connect your IdP to AutoCloud, follow the provider specific procedure linked to below.
To configure your Azure Active Directory SAML integration, follow these steps.
Google Workspaces' SAML implementation currently supports either SAML response signing or SAML assertion singing, but not both. For this reason, Google Workspaces SAML is not supported.
To configure your Okta SAML integration, follow these steps.
To configure a generic SAML integration for a provider that is not listed, follow these steps.
Managing Your SAML IdP Connection
From the single sign-on settings page you can switch the Active toggle on to enable the connection. Please note that you will remain logged in to AutoCloud, but the next time you attempt to login you will be redirected to your IdP's login page.
The recommended steps for testing your SSO configuration are as follows:
- Enable the connection for your account
- Do not close or log out of your current session
- Open a private browser, visit AutoCloud, and log in
- If your SSO connection is configured correctly you will be redirected to your IdP upon entering your credentials
- If you are able to complete the login, this means your configuration is correct
If you experience any issues logging in after enabling your connection, you can contact support.
SAML defines two authentication flows, identity provider initiated login, where the user clicks on a button in their identity provider to be logged into AutoCloud, and service provider initiated login, where the user enters their credentials on the AutoCloud login page, AutoCloud validates the credentials with the identity provider, and the user is authenticated appropriately based on the identity provider's response.
Some organizations prohibit service provider initiated login by policy, and require that all users initiate login through their identity provider. To disable the ability for users to initiate authentication on the AutoCloud login page, toggle the Disable SP Login slider to on.
Note: Test identity provider initiated login flow thoroughly before disabling service provider login. If the IdP login flow is not functional, all users will be locked out of your AutoCloud organization, and you will have to contact AutoCloud support to regain access.
Disconnecting Your IdP
If you ever need to disconnect your IdP from AutoCloud, you can perform that operation from the single sign-on settings page. You can disable your connection with the Active toggle, or permanently remove your IdP integration by clicking the Delete button:
After disabling/removing the connection, you will be able to log back into the app with your original AutoCloud password.
