Set up SSO for your organization

Single sign-on (SSO) enables access to your Redox dashboard account using a third-party identity provider, allowing you to control user access policies via a central resource for your organization. Redox supports identity providers compatible with the SAML protocol

With SSO, a user from your organization enters their email on the dashboard login page, which then redirects them to your identity provider for authentication. If successfully authenticated, they are redirected back to the dashboard as a logged-in user.

Only for Standard or above users

For our Basic plan customers, SSO isn't available. Talk to a Redoxer if you're interested in upgrading to take advantage of SSO.

For our Standard (and above) plan customers, SSO is enabled by default. But SSO is only available to dashboard users that belong to one dashboard organization. If your organization has users that are part of multiple organizations, they must remove themselves or transfer access to a different Redox account before using SSO.

Configuring in the dashboard

For Standard (and above) customers, an organization owner can follow these steps to turn on SSO:

  1. Log in to the dashboard.
  2. On the navigation menu, your username displays at the bottom. Click your username for the user menu to appear.
  3. From the user menu, select the Organization Profile option.
    Organization Profile option of the user menu
    Organization Profile option of the user menu
  4. By default, the Organization Info page displays. Click the Settings tab.
  5. The page opens with the organization settings. Under the Single Sign-On section, toggle the SSO option to on.

    For non-organization owners

    If you're not an organization owner, the toggle option won't be available. Instead, the Single Sign-On section displays a warning that says you must be an organization owner to manage SSO.

  6. A modal appears with details for your identity provider (IDP). Specific configuration details vary between IDPs, but the basic process is the same. Enter the following values from your IDP into the appropriate fields on the modal:
    1. Email domain: Your company domain where your organization's users have an email account.
    2. Name: The name of your IDP.
    3. Metadata file: The SAML metadata XML document file. You must populate either this or the following field for the metadata URL.
    4. Metadata URL: The public URL that points to your SAML metadata XML document. You must populate either this or the previous field for the metadata file.
    5. IDP email SAML attribute: The label that your IDP uses for a user's email address.
    6. IDP name SAML attribute: The label that your IDP uses for a user's name.
  7. Once you populate the fields in the modal, click the Save button.
  8. After saving successfully in the dashboard, you must refer to your IDP for instruction on how to enable from their end.

    If you use Okta

    If you use Okta for your IDP, you can use the instructions after this section to configure Okta for SSO.

  9. Once both parties are enabled and setup is successful, all users must log in via SSO going forward. Previous username and password credentials no longer work.

After SSO is enabled, any new user who successfully authenticates via your identity provider is added to your organization. Existing users of your organization may not join another Redox organization.

Lastly, keep in mind that user access may be revoked from your identity provider.

Configuring SAML protocol

Follow the instructions for your given IDP to enable SSO. For your convenience, we have instructions for:

  • Okta
  • Microsoft Azure

For Okta

  1. Log in to your Okta admin dashboard.
  2. Click the Applications tab, then the Integration network option.
  3. On the Integration network page, click the Create a New App button.
  4. The Create a new app integration page opens. Select the SAML 2.0 option, then click the Next button.
    Create a new app integration
    Create a new app integration
  5. The General Settings opens. Enter an app name for your SAML protocol, then click the Next button.
    General settings
    General settings
  6. The SAML Settings opens. Enter the following values:
    1. Single sign on URL: The Redox auth URL (https://auth.redoxengine.com/saml2/idpresponse)
    2. Audience URI: The intended audience of the SAML assertion (us-east-1_sm7bWqZzQ).
      SAML Settings
      SAML Settings
  7. Scroll down to the Attribute Statements settings and add the following statements.
    1. Add a statement for the email address attribute:
      1. Name: The attribute name (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)
      2. Name format: The specified format for the name (Unspecified)
      3. Value: The name value (user.email)
    2. Add a statement for the name attribute:
      1. Name: The attribute name (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name)
      2. Name format: The specified format for the name (Unspecified)
      3. Value: The name value (user.firstName+""+user.lastName)
        Attribute statements
        Attribute statements
  8. Once the SAML fields are populated, click the Next button.
  9. On the next page, select the I'm an Okta customer adding an internal app option.
  10. Another set of options appears. Select the This is an internal app that we have created option, then click the Next button.
  11. On the next page, click the Sign On tab.
  12. In the SAML Signing Certificates section, your active signing certificate appears. Click the Actions drop-down menu, then select the View IDP metadata option.
    View IdP metadata
    View IdP metadata
  13. A new tab opens. Copy the metadata URL and paste it into the Redox dashboard.
  14. Back in the Okta admin dashboard, assign users to the Redox application.

For Microsoft Azure Active Directory

  1. Log in to your Azure portal.
  2. Navigate to the Azure Active Directory page.
  3. The directory's Overview page opens. On the navigation menu, click the Enterprise applications page.
  4. All of your applications display on the page. Click the New application button.
  5. The Browse Azure AD Gallery page opens. Click the Create your own application button.
  6. A modal opens for your new application. Enter a name for the Redox dashboard application and select the Integrate any other application you don't find in the gallery (Non-gallery) option. Then click the Create button.
    Create your own Azure application
    Create your own Azure application
  7. The enterprise application Overview page opens. Click the Set up single sign on option.
  8. The Single sign on page opens. Click the SAML option.
  9. The SAML-based Sign-on settings opens. For the Basic SAML Configuration option, click the Edit button.
    Edit the SAML settings
    Edit the SAML settings
  10. The Basic SAML Configuration modal opens. Enter the SAML settings:
    1. Click the Add identifier link and replace the default identifier ID (entity ID) with the new identifier: urn:amazon:cognito:sp:us-east-1_sm7bWqZzQ.
    2. Click the Add reply URL link and enter the Redox auth URL: https://auth.redoxengine.com/saml2/idpresponse.
    3. After both values are entered, click the Save button at the top.
      SAML settings
      SAML settings
  11. The modal closes. Back on the SAML-based Sign-on settings, click the Edit button for the Attributes & Claims option.
    Edit the Attributes & Claims
    Edit the Attributes & Claims
  12. The Redox dashboard currently requires claims for the user’s name and email address. Use the default SAML claims configured in the Azure active directory application, or modify them to meet your organization’s needs. The defaults are the following:
    1. Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
    2. Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name.
  13. Back on the SAML-based Sign-on settings, locate the App Federation Metadata URL under the SAML Signing Certificate option. Copy the metadata URL and paste it into the Redox dashboard.
    The metadata URL
    The metadata URL