Unify and manage your data

Update Tenant SSO configuration

This task guides you through the process of updating the SSO configuration for multiple Reltio tenants using the Update SSO Configuration API.

The Update SSO Configuration APIs are designed to enable you to configure Single Sign-On to access the Reltio tenants. Reltio does not recommend using this API to configure SSO for the first time. The recommendation is to configure SSO via the Reltio Console. This API is only recommended for cases in which you want to apply the same SSO configuration to multiple tenants.

Note: The ROLE_ADMIN_CUSTOMER role is required to perform these operations.
  1. Configure SSO on a tenant
    (Ideally a DEV tenant to ensure it works before doing it in TEST/PROD tenants).
  2. Execute the GET Customer API to retrieve your customer configuration
    This returns the SSO setup of your tenants.
  3. Apply SSO configuration to other tenants
    1. Identify the externalProviderConfig attribute to help construct the configuration for other tenants.
      SAML example:
      
                                  {
                                      "providerId": "OktaProvider",
                                      "vendor": "okta",
                                      "loginEndpoint": "https://dev-432548.okta.com/oauth2/v1/authorize",
                                      "tokenEndpoint": "https://dev-432548.okta.com/oauth2/v1/token",
                                      "userInfoEndpoint": "https://dev-432548.okta.com/oauth2/v1/userinfo",
                                      "callbackEndpoint": "https://auth.reltio.com/oauth/callback",
                                      "clientId": "0oa9dftgfdgd4qFDW2347",
                                      "scope": "openid profile email",
                                      "userIdMapping": "email",
                                      "userEmailMapping": "email",
                                      "userRoleMapping": "memberOf",
                                      "userRoleRegexp": "(AZ_[a-zA-Z0-9_]*)*?",
                                      "defaultNewUserRoleList": [
                                          "ROLE_API",
                                          "ROLE_USER"
                                      ],
                                      "tenants": [
                                          "tenant1"
                                      ],
                                      "jwt": false,
                                      "userGroupsMapping": "groups_info",
                                      "userGroupRegExp": "([a-zA-Z0-9_]*)*?",
                                      "defaultGroups": [],
                                      "rolePerTenantSsoEnabled": false,
                                      "sendClientCredentialsInBody": false
                                  }
                              
      OIDC example:
      {
                     "providerId": "OktaProvider",
                     "vendor": "okta",
                     "loginEndpoint": "https://dev-432548.okta.com/oauth2/v1/authorize",
                     "tokenEndpoint": "https://dev-432548.okta.com/oauth2/v1/token",
                     "userInfoEndpoint": "https://dev-432548.okta.com/oauth2/v1/userinfo",
                     "callbackEndpoint": "https://auth.reltio.com/oauth/callback",
                     "clientId": "0oa9dftgfdgd4qFDW2347",
                     "scope": "openid profile email",
                     "userIdMapping": "email",
                     "userEmailMapping": "email",
                     "userRoleMapping": "memberOf",
                     "userRoleRegexp": "(AZ_[a-zA-Z0-9_]*),*?",
                     "defaultNewUserRoleList": [
                         "ROLE_API",
                         "ROLE_USER"
                     ],
                     "tenants": [
                         "tenant1"
                     ],
                     "jwt": false,
                     "userGroupsMapping": "groups_info",
                     "userGroupRegExp": "([a-zA-Z0-9_]*),*?",
                     "defaultGroups": [],
                     "rolePerTenantSsoEnabled": false,
                     "sendClientCredentialsInBody": false
                 }
      
      Configuration is basically the same for both cases, the vendor subattribute is the key difference. Reltio natively supports OIDC and leverages AWS Cognito to support SAML. If you have a SAML configuration, you will see "Cognito" in the vendor.
    2. Under the externalProviderConfig attribute, identify the tenants sub-attribute
    3. Add all your tenants IDs under the externalProviderConfig/tenants attribute
      If you started with the DEV tenant you should only add the TEST tenant and verify that it works. Only after that should you add the PROD tenant.
    4. Put the configuration on the target tenants
      Use Update Customer API to apply the configuration.