SSO configuration
Learn how to configure Single Sign-On (SSO) to access authorized resources using a single set of credentials.
Configure Single Sign-On (SSO) to access authorized resources using a single set of credentials.
Configuration with OAuth2/OpenID Connect
End-to-end SSO configuration process includes steps to configure an authorization server, configure Reltio Connected Cloud, and verify SSO on customer side.
Authorization Server Configuration
If the customer owns or utilizes an authorization server or IdP for authentication, configuration of the authorization server can be performed by the customer's technical staff. The configuration procedure consists of registering an application (Client). A registered app is assigned a unique Client ID and Client Secret, which will be used in the authentication flow. Upon completion, the following information will be available:
- Client ID / Client Secret pair
- Login page URI
- Get token URI
- Validate token URI
- List of predefined roles for users imported from IdP.
Reltio-Side Configuration
Reltio platform team will use authorization server information to configure Reltio UI and Reltio OAuth services, to redirect the user to appropriate endpoints as part of the authentication flow. To register an IdP in Reltio OAuth2 service for a specific tenant, Reltio platform team will use the following information:
- Client ID
- Client Secret
- Scope
- Login endpoint. For example, https://auth-srv.customer.com/as/ authorization.oauth2
- Token endpoint. For example, https://auth-srv.customer.com/as/token.oauth2
- User info endpoint. For example, https://auth-srv.customer.com/idp/ userinfo.openid
For more information, see Set up an IdP for OAuth/OIDC.
Configuring SSO access to Reltio using OAuth2.0/OIDC
When customers use an IdP for user access and authentication, the creation of roles and groups is still performed using the Reltio Authorization service in Reltio Console User Management and the permission configuration. The assignment of roles/groups to users and the creation of new users is to be done in your IdP. The SSO configuration transfers the collection of roles/groups that a user is assigned from your IdP to Reltio when that user accesses Reltio via IdP. When deactivating a user in Okta, it is recommended that your admin should also deactivate the user in Reltio Console User Management.
You can enable user group management by simply adding the name of the attribute that holds the user’s groups to the SSO configuration. When a user authenticates successfully, all groups listed in the Identity Provider are added to the user’s account.