Single Sign On

Single Sign-On (SSO) is an authentication mechanism that allows users to access multiple applications by using a single ID and password.

Software AG Cloud supports SSO that allows users to authenticate themselves against an Identity Provider (IdP) rather than obtain and use a separate username and password. Once the IdP authenticates the users, it informs Software AG Cloud about it, which in turn lets the users access the applications without having to sign in using their Software AG Cloud credentials. This makes the login process easier, faster, and more secure.

Software AG Cloud supports the following Single Sign-On Providers:

How It Works

Let us see an example on how to configure OKTA as a SAML based external identity provider, to authenticate Software AG Cloud users.

To set up SSO for Software AG Cloud, ensure that you have:

Overview of Steps

  1. Create the URI for connecting IdPs to Software AG Cloud

  2. Configure IdPs (OKTA) to connect to Software AG Cloud

  3. Import IdPs SAML settings into Software AG Cloud

  4. Configure IdP details in Software AG Cloud

Note: You cannot use an external IDP user as a technical user for API authentication. Instead, use an internal user for technical API calls.

Detailed Steps

1. Create the URI for connecting IdPs to Software AG Cloud

a. Log in to your Software AG Cloud account. Navigate to My Cloud > Administration page, and click the Single sign-on tab.

b. Click Add Identity Provider. A new screen appears where you add an Identity Provider to authenticate Software AG Cloud users.

c. Enter the following details in the Add Identity Provider screen:

Note: Keep this window open, as you will need these details for setting up the Software AG Cloud application in your IdP in the next step.

2. Configure IdPs (OKTA) to connect to Software AG Cloud

a. Log in to your IdP account as a user with Administrator privileges.

b. Go to Admin > Applications to create a new application integration. Click Add Application to add the Software AG Cloud application.

c. Select SAML 2.0 as the sign-on method.

d. In the App name field, enter an application name. After this, click Next.

e. In the Configure SAML settings tab, enter the following details:

f. After configuring SAML settings, click Next to proceed to the Feedback section. For this tutorial, we will configure the following details:

g. Once you have configured the Feedback options, click Finish.
After configuring SAML settings, you assign Users/People to the application. If you have created OKTA groups (under Okta Directory), assign Users/People to that group and assign the groups to the application.

3. Import IdP SAML settings into Software AG Cloud

To import the SAML settings of IdP into Software AG Cloud:

a. Go to the newly created OKTA application, click Sign On, click Identity provider metadata link, and then either copy the URI or save the metadata to file.

4. Configure IdP details in Software AG Cloud

a. Switch back to the My Cloud SSO Settings window and complete the configuration in Software AG Cloud. If you copied the OKTA metadata URI or saved the metadata to file, choose to import, and then specify the URI or file.
Click Next.

b. On the Configuration page, complete the fields as necessary. If you imported the OKTA metadata, some of the fields are pre-populated with that metadata.

c. If you did not import the OKTA metadata, the Software AG Cloud fields map to OKTA fields as follows. Let’s understand what these fields are:

d. On the Attributes page, map the “Identity provider user attributes” to the “Software AG Cloud user attributes”.

e. On the Roles page, grant access to IdP users as follows by assigning default Software AG Cloud roles to OKTA users or by assigning Software AG Cloud roles to OKTA users based on OKTA group membership.
For the second case, click Assign Software AG Roles to users by mapping to identity provider roles. Click +, select a Software AG Cloud role, and then type the name of the OKTA group that corresponds to the role. You can later go to individual Software AG Cloud products and modify access.

f. Save the Identity Provider configuration. Now the configuration for Identity Provider in Software AG Cloud is complete.

On successful configuration of the Identity Provider, you will see the Identity Provider name on the Software AG Cloud login page.

On successful authentication by the SSO server, you are redirected to Integration and you will be able to access integration without requiring additional authentication.