Enabling Single Sign-on (SSO)

Introduction

Ushur is committed to enhancing user experiences by making authentication smoother, more secure, and less cumbersome. With this objective in mind, Ushur introduces Single Sign-On (SSO)—a feature that allows users to log in to the Ushur platform using their enterprise credentials.

SSO integration ensures a seamless and secure authentication experience by leveraging the enterprise’s existing Identity Provider (IdP). This eliminates the need for multiple login credentials while enabling centralized access control for enhanced security and simplified management.

Feature Overview

What is SSO?

• Single Sign-On (SSO) enables users to securely access Ushur using their enterprise credentials, eliminating the need for separate login information.

• By integrating with the organization’s IdP, SSO delivers a seamless, secure authentication process.

Key Benefits of SSO in Ushur

1. Simplified User Management:

   • Users log in using their enterprise credentials, eliminating the need for separate usernames and passwords for Ushur.

2. Enhanced Security:

   • Ushur supports industry-standard protocols like OAuth 2.0 (OIDC) and SAML 2.0 with a robust client-secret-based authentication mechanism.

     Note

     Certificate-based authentication is not supported.

3. Broad Integration:

   • Compatible with popular IdPs such as Google, Microsoft Azure, and generic IdPs like Okta, PingOne, and others.

4. Role-Based Access Control:

   • Leverages IdP attributes to enforce granular user permissions.

Supported Features

• Client Secret-based Authentication for OAuth 2.0/OpenID Connect (OIDC).

• Configurable support for multiple IdPs within a single Ushur deployment.

• Flexible redirect URLs for login, logout, and token validation flows.

Supported Standards and Providers

Supported Standards

• OpenID Connect (OIDC) (preferred)

• OAuth 2.0 / SAML 2.0

Supported Providers

• Standard Providers

  • Google.

  • Microsoft Azure.

• Generic OIDC & SAML 2.0 Providers

  • Ushur supports integration with Identity Providers (IdPs) that adhere to OIDC or SAML 2.0 standards.

  • Examples:

    • Okta.

    • PingOne.

    • OneLogin.

Supported Authentication Mechanisms

• Client Secret-based Authentication: The only supported mechanism for establishing a secure connection between Ushur and the enterprise IdP.

Note

Certificate-based and PKCE-based authentication methods are not currently supported but are being evaluated for future implementation.

Enable SSO with Google and Azure Providers

To integrate Single Sign-On (SSO) with Google or Microsoft Azure as the Identity Provider (IdP), follow these steps:

Step 1. Configure the IDP

1. The IT team should configure the Google or Azure IdP in their system.

2. Redirect URI: This will be provided by your Ushur Customer Success Manager (CSM) and must be configured in your IdP.

3. Reference the applicable documentation to configure IdP:

   • Google Cloud Console: Create OAuth 2.0 Credentials

   • Microsoft Azure: Register an App

Step 2. Provide Information to Ushur

1. After completing the setup in your system, provide the following details to Ushur:

   • Client ID

   • Client Secret

Step 3. Configuration on the Ushur Platform

1. The Ushur team will configure the platform with the provided details.

2. Validate the setup by ensuring the platform can connect with the IdP.

Enable SSO with OAuth 2.0 / OIDC

To enable Single Sign-On (SSO) using OAuth 2.0/OpenID Connect (OIDC), follow these steps:

Step 1: Configure the Identity Provider (IdP)

The Ushur team will share the following information to help the IT Team configure their Identity Provider (IdP):

• Redirect/Callback URL: Provided by Ushur.

  • Example: https://{platform-hostname}/v1/oidcOAuth/validateToken

• Optional: Ushur’s logo URL for configuration in the IdP.

  • Example: https://cdnpub.ushur.me/assets/ushur/Ushur_Logo_Blue_2747.png

Step 2: Share Configuration Details with Ushur

Once the IdP configuration is complete, the IT Team must share the following details with Ushur:

• Identity Provider (IdP) Name:

  • Specify the name of the IdP (e.g., Google, Azure, Okta, PingOne).

• Enterprise Logo (Optional):

  • Provide the organization’s logo for branding purposes on the login page.

• Accepted formats: URL or a file.

• Client Credentials:

  • Client ID: Generated by the IdP.

  • Client Secret: Generated by the IdP (ensure this is securely stored).

• IdP Endpoints:

  • Authorization URL: Used to direct users to the IdP login page.

  • Token URL: For exchanging the authorization code for an access token.

  • Issuer URL: The unique identifier for the IdP.

  • UserInfo URL: To fetch additional user attributes (optional based on your setup).

Step 3: Ushur Configures the Platform

The Ushur team will use the provided information to configure OAuth 2.0/OIDC on the platform:

• Update the system’s configuration files with the provided credentials and URLs.

• Validate the setup by ensuring the platform can connect with the IdP.

Enable SSO with SAML 2.0

Follow these steps to configure Single Sign-On (SSO) using the SAML 2.0 protocol:

Step 1: Information Provided by Ushur to the IT Team

The Ushur team will share the following information with the IT Team for configuring their Identity Provider (IdP):

1. Redirect/Callback URL:

   • This URL is required to redirect users back to the Ushur platform after authentication.

   • Example: https://{platform-hostname}/SamlAuth/callback Service Provider (SP)

2. Ushur Logo (Optional):

   • The logo can be used for branding purposes in the IdP.

   • Ushur Logo URL: https://cdnpub.ushur.me/assets/ushur/Ushur_Logo_Blue_2747.png

Step 2: Information Provided by the IT Team to Ushur

Once the IdP is configured, the IT Team must provide the following configuration details to Ushur:

• Identity Provider Name:

  • Specify the name of the IdP (e.g., Google, Azure, Okta, PingOne).

• Enterprise Logo (Optional):

  • Provide the organization’s logo for branding purposes on the login page.

• Client Certificate: Used to validate SAML responses.

• URL Endpoints:

  • EntryPoint URL: The IdP’s login URL where authentication requests are sent.

  • Issuer URL: The unique identifier for the IdP.

Step 3: Ushur Configures the Platform

The Ushur team will use the provided details to configure the platform:

1. Update the platform settings with the Issuer URL, EntryPoint URL, and Certificate.

2. Validate the integration to ensure:

   • SAML assertions are processed correctly.

   • Attributes from the SAML response are mapped to user roles.

Add the User on Ushur platform as SSO User

Note

This step to be performed by Ushur team.

To add a user on the Ushur platform as an SSO user, follow these steps:

1. Log in to the Ushur builder as an Admin User.

2. Navigate to the User Admin Tab.

3. Enter the user’s email address, ensuring it matches the one configured in the enterprise IdP.

4. Select the SSO checkbox.

5. Click the Add User button to save the configuration.

Once the user is added, they can log in using SSO:

1. On the Ushur builder login page, the user enters their email address.

2. Click the “Log in with [Identity Provider]” button (e.g., Log in with Azure, Log in with Google).

3. The user will be redirected to the IdP for authentication and will not need to enter a password.