On this page

Introduction

Single Sign On is a convenient way for users to log into multiple services without needing to enter their user name and password for each service. SnapLogic supports Single Sign On (SSO) through the Security Assertion Markup Language (SAML) standard. If you are using a SAML-2 compatible Identity Provider (IdP) to perform SAML authentication, then you can configure your SnapLogic organization to authenticate users against your IdP.

SnapLogic certifies the following IdPs as compatible with our platform:


If your organization has multiple SnapLogic environments (Orgs), they should all be configured for the same IdP and users should log in with that IdP. Members of an SSO-enabled Org might need to log into a different Org, such as one provided by SnapLogic for training or product trials. In this case, the account in the Org without SSO should be created using a different email address. 

SAML Overview

The SAML standard defines how Service Providers (SP) can communicate with Identity Providers (IdP) to securely authenticate users. In this case, SnapLogic is the Service Provider and OpenAM is the Identity Provider. The communication between the two starts after the user enters their organization name and clicks the Login via Single Sign on link on the SnapLogic home page. The SnapLogic server uses the organization name to find the associated IdP and then redirects the user's web browser to that IdP with an authentication request. The destination for the redirect is defined by the IdP metadata file that is uploaded when configuring the user's organization to use SSO. 

After the IdP receives the authentication request, it validates the request to ensure it is coming from a known Service Provider (SP) and then redirects the user's browser back to SnapLogic. The IdP is informed of the SnapLogic service by uploading the SnapLogic metadata file that is generated when configuring the user's organization to use SSO. Finally, the authentication response is validated by the SnapLogic server using the IdP metadata and the user is allowed to begin working in the SnapLogic Designer.

Configuration

As mentioned in the SAML Overview section, configuring your organization to use SSO requires the exchange of metadata between the SP and the Identity Provider (IdP). You must have Org admin access to configure SSO. To perform this exchange:

  1. Export the metadata from the IdP's instance.
  2. Save this metadata into a file on your machine; you need this file later.
  3. In SnapLogic Manager, click Settings in the main menu on the left. The Organization Settings page appears. 
  4. Click Configure SSO. The Update pop-up appears. All IdPs supported by SnapLogic are displayed here.
  5. Click Choose File to upload the metadata file that you saved earlier.
  6. Enter the required URLs and click Update to upload the metadata.
    When the upload finishes, the SnapLogic server validates the metadata and updates the Settings page to reflect the new values.

    Double-check the values to ensure that they refer to your IdP.


  7. The Settings page offers a download link adjacent to the SnapLogic Service Provider Metadata row. Click this link to download the metadata to your machine. 
  8. Go to the IdP's console and perform the applicable steps to upload this metadata.  At this point, everything should be configured and ready for use.

Manage SSO Options

You can customize the SSO login with additional authentication at the Org level using the Manage SSO Options feature. This feature enables you to configure AuthnRequest, RequestedAuthN Context Comparison, and AuthNContextClassRef authentication methods after uploading the IdP metadata file.

Prerequisite: You must be an Org admin to access the Manage SSO Options feature.

To add additional authentication methods to the SSO login for SnapLogic users:

  1. Go to SnapLogic Manager, and click Manage SSO Options.

  2. Choose additional authentication options for the SnapLogic users in your Org as appropriate:
  3. Click Update.

    We recommend that you have at least one admin user with a password login to unlock locked accounts. For example, accounts that are created before applying the SSO login to an Org, might get locked. In such cases, you can use the admin account with a password to log in and unlock the accounts.


Adding Users

After configuring your SnapLogic organization to authenticate via SSO, the organization administrator still needs to add users to the organization to authorize them to use the SnapLogic service. Adding users can be done through the 'Users' page in the Manager.

When creating users, select Disable password-based login to create the user in the system but not give them access through SnapLogic's login. 

Logging In

To log in using SSO, navigate to the SnapLogic login page, click Login via Single Sign On. Enter the Org name and then click Log In. The login sequence should first redirect your web browser to the IdP login page and then to the SnapLogic Designer. If the SnapLogic server detects any errors during login, they are displayed below the login form on the SnapLogic home page.

We support case-sensitive Org names. As a user, make sure that your Org name matches that of your organization in the User Name field of the login page. For example, if the organization name is SnapLogic, then do NOT use Snaplogic as your Organization.

Users In Multiple Orgs

When SSO is enabled, users have access to all Orgs where they have an account. For example, if "Alice" is a member of "Company 1" and "Company 2" and she logs in via the IdP for "Company 1", she is still able to access "Company 2".  The authentication process only validates that the person logging into the service is who she says she is; it does not control what she has access to. 

Manage Password Logins

To use SSO, password login must be disabled. After you configure SSO, in Classic Manager:

  1. Click Settings from the left navigation bar.
  2. Scroll down and click the Manage Password Logins button under Single Sign-On via SAM v2.0:

    The User Authentication Methods page opens.
  3. Select the appropriate user IDs and click Disable.

The Manager Password Logins button does not show in Classic Manager settings until you configure SSO.


Multi-Factor Authentication

To add multi-factor authentication (MFA) when using SSO:



Related Content