External Authentication
Overview
Refer to the Getting Started section on Users & Roles for details about ow users and roles are used on the SIFF platform. This guide will cover how to configure external authentication to provide Single Sign-On (SSO) capabilities to SIFF users.
Supported Mechanisms
- OpenID Connect (in general) but also built-in support for:
- Amazon
- Auth0
- Azure AD
- Bitbucket
- DigitalOcean
- GitHub
- Gitlab
- MicrosoftOnline
- Okta
- SalesForce
- LDAP such as Microsoft Active Directory
Configuring External Auth
OpenID Connect (and related)
OpenID Connect is a standard for SSO authentication supported by many popular platforms like Google and Okta. A number of built-in options are provided for these along with generic OpenID Connect support.
Configuring external authentication is done via the Admin app under Organizations and editing an existing entry. For new organizations the default setting is No external auth provider. To configure external authentication, select a provider type from the drop-down and complete the rest of the fields. See the sections below for information on specific provider types.
Built-in Provider Configuration
- Okta
- Azure AD
- (generic) OpenID Connect
- Others: refer to (generic) OpenID Connect above and documentation from your OpenID Provider to configure. Contact us if you need assistance.
LDAP
Note: LDAP support is currently undergoing some changes, if you intend to use LDAP then please contact us.
Configuring Users
With external authentication enabled users can be:
- Manually created in SIFF and set to use external authentication
- Automatically created (requires role mapping configuration)
Manual Creation
When external authentication is configured for an Organization SIFF users can be configured to use the provider. This can be done when via the Admin app under User Security a number of ways:
- Inviting a new user
- Bulk importing users
- Editing an existing user
- Bulk toggling external auth for existing users
Below is the Invite user dialog however the Edit and Bulk import dialogs have a similar option to enable external authentication. This is only available if external authentication is already configured.
It's important for users their Login / Email exactly match the SSO ID on the auth provider otherwise either authentication will fail agaist the authentication provider, or when redirected back to SIFF if the ID does not match the user will not be recognized.
Automatic Creation
For users to be automatically created on SIFF there are 2 pre-requisites:
- An Org Sign In Keyword must be configured, this allows users to enter the keyword instead of a username on the SIFF Sign In page to be redirected to the external authentication provider.
- Mapping configuration is required to retrieve group information from the external authentication provider and use this to map groups to SIFF Roles.
With the above in place new users can sign in with the org Keyword. This will redirect to the external authentication provider, and once authenticated will redirect back to SIFF. At this point SIFF will automatically create the user with the appropriate role and the user will be logged in.
Please refer to the Configuring External Auth section above for complete details including provider specific instructions.