Single sign-on (SSO) enables access to your Redox dashboard account using a third-party identity provider, allowing you to control user access policies via a central resource for your organization. Redox supports identity providers compatible with the SAML protocol.
With SSO, a user from your organization enters their email on the dashboard login page, which then redirects them to your identity provider for authentication. If successfully authenticated, they are redirected back to the dashboard as a logged-in user.
Only for Standard or above users
For our Basic plan customers, SSO isn't available. Talk to a Redoxer if you're interested in upgrading to take advantage of SSO.
For our Standard (and above) plan customers, SSO is enabled by default. But SSO is only available to dashboard users that belong to one dashboard organization. If your organization has users that are part of multiple organizations, they must remove themselves or transfer access to a different Redox account before using SSO.
Configuring in the dashboard
For Standard (and above) customers, an organization owner can follow these steps to turn on SSO:
Log in to the dashboard.
On the navigation menu, your username displays at the bottom. Click your username for the user menu to appear.
From the user menu, select the Organization Profile option.
Organization Profile option of the user menu
By default, the Organization Info page displays. Click the Settings tab.
The page opens with the organization settings. Under the Single Sign-On section, toggle the SSO option to Enabled.
SSO enabled for your organization
For non-organization owners
If you're not an organization owner, the toggle option won't be available. Instead, the Single Sign-On section displays a warning that says you must be an organization owner to manage SSO.
More fields appear for you to populate details about your identity provider (IDP). Specific configuration details vary between IDPs, but the basic process is the same. Enter the following values from your IDP into the appropriate fields:
Identity provider section
Name: The name of your IDP.
Domain name: Your company domain where your organization's users have an email account.
SAML metadata URL: The public URL that points to your SAML metadata XML document, which should include the entity ID and keys to use when validating the response from the IDP.
Attribute mapping section
User full name: The label that your IDP uses for a user's name.
User email: The label that your IDP uses for a user's email address.
Once you populate the fields in step #6, click the Save button.
After saving successfully in the dashboard, you must refer to your IDP for instruction on how to configure the SAML protocol from their end.
Check out the instructions we have for configuring the SAML protocol for common IDPs after this section.
Once both parties are enabled and setup is successful, all users must log in via SSO going forward. Previous username and password credentials no longer work.
After SSO is enabled, any new user who successfully authenticates via your identity provider is added to your organization. Existing users of your organization may not join another Redox organization.
Lastly, keep in mind that user access may be revoked from your identity provider.
Configuring SAML protocol
Follow the instructions for your given IDP to enable SSO. For your convenience, we have instructions for the following IDPs.
Log in to your Okta admin dashboard.
Click the Applications tab, then the Integration network option.
On the Integration network page, click the Create a New App button.
The Create a new app integration page opens. Select the SAML 2.0 option, then click the Next button.
Create a new app integration
The General Settings opens. Enter an app name for your SAML protocol, then click the Next button.
The SAML Settings opens. Enter the following values:
Single sign on URL: The Redox auth URL (https://auth.redoxengine.com/saml2/idpresponse)
Audience URI: The intended audience of the SAML assertion (urn:amazon:cognito:sp:us-east-1_sm7bWqZzQ).
Scroll down to the Attribute Statements settings and add the following statements.
Add a statement for the email address attribute:
Name: The attribute name (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)
Name format: The specified format for the name (Unspecified)
Value: The name value (user.email)
Add a statement for the name attribute:
Name: The attribute name (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name)
Name format: The specified format for the name (Unspecified)
Value: The name value (user.firstName+""+user.lastName)
Once the SAML fields are populated, click the Next button.
On the next page, select the I'm an Okta customer adding an internal app option.
Another set of options appears. Select the This is an internal app that we have created option, then click the Next button.
On the next page, click the Sign On tab.
In the SAML Signing Certificates section, your active signing certificate appears. Click the Actions drop-down menu, then select the View IDP metadata option.
View IdP metadata
A new tab opens. Copy the metadata URL and paste it into the Redox dashboard.
Back in the Okta admin dashboard, assign users to the Redox application.
Log in to your Azure portal.
Navigate to the Azure Active Directory page.
The directory's Overview page opens. On the navigation menu, click the Enterprise applications page.
All of your applications display on the page. Click the New application button.
The Browse Azure AD Gallery page opens. Click the Create your own application button.
A modal opens for your new application. Enter a name for the Redox dashboard application and select the Integrate any other application you don't find in the gallery (Non-gallery) option. Then click the Create button.
Create your own Azure application
The enterprise application Overview page opens. Click the Set up single sign on option.
The Single sign on page opens. Click the SAML option.
The SAML-based Sign-on settings opens. For the Basic SAML Configuration option, click the Edit button.
Edit the SAML settings
The Basic SAML Configuration modal opens. Enter the SAML settings:
Click the Add identifier link and replace the default identifier ID (entity ID) with the new identifier: urn:amazon:cognito:sp:us-east-1_sm7bWqZzQ.
Click the Add reply URL link and enter the Redox auth URL: https://auth.redoxengine.com/saml2/idpresponse.
After both values are entered, click the Save button at the top.
The modal closes. Back on the SAML-based Sign-on settings, click the Edit button for the Attributes & Claims option.
Edit the Attributes & Claims
The Redox dashboard currently requires claims for the user’s name and email address. Use the default SAML claims configured in the Azure active directory application, or modify them to meet your organization’s needs. The defaults are the following: