Address Manager supports Single Sign-On (SSO) via SAML 2.0 and acts as a Service Provider (SP) for SSO. In the SSO integration, users have the following login options with Address Manager:
- Log in directly to Address Manager (SP-initiated SSO)
- Log in through the IdP (IdP-initiated SSO)
- ADFS (Active Directory Federated Services)
If your organization is using a different IdP than those supported by Address Manager, you can still use the IdP as long as it adheres to the SAML 2.0 specification. For more information, refer to your IdP's documentation on how to configure a service provider.
SSO with Okta identity providers is supported only through SAML 2.0. Okta OAuth 2.0 (with OpenID Connect) is not supported at this time.
In SP-initiated SSO, log in to Address Manager directly using your company's SSO credentials. When you log in through Address Manager, Address Manager sends an authentication request to the IdP. The IdP validates your credentials and once validation is successful, the IdP generates a SAML token. The IdP redirects the SAML token to Address Manager and allows access.
The diagram below illustrates the SP-initiated SSO authentication process:
In IdP-initiated SSO, log in through the IdP login page using your company's SSO credentials. When you log in through the IdP login page, the IdP validates your credentials and once validation is successful, the IdP generates a SAML token. The IdP now redirects you to Address Manager.
The diagram below illustrates the IdP-initiated SSO authentication process:
|SSO Enabled||SSO Enforced|
During SSO authentication, the IdP generates access tokens. Any clock discrepancy between Address Manager and the IdP could cause a disagreement over the token expiration time, leading to authentication errors. BlueCat recommends using NTP to synchronize Address Manager and the IdP.