On this page
Single Sign On is a convenient way for users to log into multiple services without needing to enter their username and password for each service. SnapLogic supports Single Sign On (SSO) through the Security Assertion Markup Language (SAML) standard. If you are using a SAML-2 compatible Identity Provider (IdP) to perform SAML authentication, you can configure your SnapLogic organization to authenticate users against your IdP. If you disable password-based login, users will have to use SSO. If you leave password-based login enabled, users can choose basic authentication or SSO to log in.
SnapLogic certifies the following IdPs as compatible with our platform:
If your organization has multiple SnapLogic environments (Orgs), they must all be configured to use the same IdP Application Integration. Members of an SSO-enabled Org might need to log into a different Org, such as one provided by SnapLogic for training or product trials. In this case, the account in the Org without SSO should be created using a different email address. |
The SAML standard defines how Service Providers, in this case, the SnapLogic Platform, communicate with Identity Providers (IdP) to securely authenticate users. You must first create an application integration in your IdP that will handle authorization for all of your SnapLogic Orgs. After you create the application integration in your IdP, export the metadata and import it into all of your SnapLogic Orgs using Classic Manager or Admin Manager.
The communication between the SnapLogic Platform and the IdP starts after the user clicks the Single Sign On link from the SnapLogic login screen. The user enters an Org name and clicks Log in. The request destination is defined in the SSO configuration. The SnapLogic Platform sends a SAML request to the IdP application integration that you created for SnapLogic. The request contains an AssertionConsumerServiceURL
element that specifies where the response should be sent. The IdP ensures that the AssertionConsumerServiceURL
is associated with the requester. To make this possible, you must add the Reply URLs for all of your SnapLogic Orgs to the IdP application integration.
Configuration takes place in both your IdP and in the SnapLogic Platform. You must have Org admin access to configure SSO.
The main steps include:
If your company has multiple SnapLogic Orgs, use the metadata from one Org to set up one IdP Application Integration.
Use the metadata from the IdP Application Integration for SnapLogic to configure SSO on all of your Orgs.
Click Update to upload the metadata.
When the upload finishes, the SnapLogic server validates the metadata and updates the Settings page to reflect the new values.
Double-check the values to ensure that they refer to your IdP. |
You can customize the SSO login with additional authentication at the Org level using the Manage SSO Options feature. This feature enables you to configure AuthnRequest, RequestedAuthN Context Comparison, and AuthNContextClassRef authentication methods after uploading the IdP metadata file.
Prerequisite: You must be an Org admin to access the Manage SSO Options feature.
To add additional authentication methods to the SSO login for SnapLogic users:
Click Update.
We recommend that you have at least one admin user with a password login to unlock locked accounts. For example, accounts that are created before applying the SSO login to an Org, might get locked. In such cases, you can use the admin account with a password to log in and unlock the accounts. |
After configuring your SnapLogic organization to authenticate via SSO, the organization administrator still needs to add users to the organization to authorize them to use the SnapLogic service. Adding users can be done through the 'Users' page in the Manager.
When creating users, select Disable password-based login if you want to force them to use SSO to log in. |
To log in using SSO, navigate to the SnapLogic login page, click Login via Single Sign On. Enter the Org name and then click Log In. The login sequence should first redirect your web browser to the IdP login page and then to the SnapLogic Designer. If the SnapLogic server detects any errors during login, they are displayed below the login form on the SnapLogic home page.
We support case-sensitive Org names. As a user, make sure that your Org name matches that of your organization in the User Name field of the login page. For example, if the organization name is SnapLogic, then do NOT use Snaplogic as your Organization. |
When SSO is enabled, users have access to all Orgs where they have an account. For example, if a user is a member of Org_1 and Org_2 and they log into Org_1 with SSO, they can switch to Org_2 without logging in again. This is assuming that both Orgs have the same IDP provider configured. If that is not the case, they receive a message stating SSO login cannot be used for users that are members of orgs that have different identity providers
. The authentication process only validates that the person logging into the service is who they say they are; it does not control what they have access to.
You can give users a choice of using SSO or a password. If you want all users to log in with SSO, password login must be disabled.
To disable password login after you configure SSO, in Classic Manager:
The Manager Password Logins button does not show in Classic Manager settings until you configure SSO. |
To add multi-factor authentication (MFA) when using SSO: