SSO Authentication

SeaLights supports Single Sign-On (SSO) authentication via SAML 2.0, allowing users to access the platform using their organization's identity provider (IdP) credentials. This provides a seamless and secure login experience.

SSO Setup Prerequisites

A SAML 2.0 compliant Identity Provider (IdP).
Involvement of your IT department and individuals with relevant permissions from both your IdP and SeaLights.

How to Set Up SSO

Contact SeaLights Support: Open a request to SeaLights Support to obtain the necessary Service Provider (SP) details:
- Assertion Consumer Service (ACS) URL
- Audience URI
- SeaLights certificate
Configure Your IdP: Set up a SAML 2.0 application on your Identity Provider using the information provided by SeaLights.
- Configure the SAML response to send the following attributes for each user (step 4 in the diagram below):
  - E-mail address, First Name, Last Name: These standard attributes are used to populate the basic user profile in SeaLights.
  - Role Attribute: This attribute is used to map a user to one of the predefined SeaLights roles: user, user-admin, or user-devops.
    The value for this attribute can be any value from your IdP that can be clearly mapped to a SeaLights role. This mapping is configured on the SeaLights side. Your IdP can send a single value or multiple values for this attribute, as long as a clear mapping exists.
  - Groups Attribute: a list of groups the user belongs to for assigning app access in SeaLights.
Provide IdP Metadata to SeaLights: Once your IdP is configured, provide SeaLights with either:
- The IdP metadata.xml file (preferred), OR
- The Issuer URI, the SSO URL, and the certificate.
Testing and Activation: SeaLights will test the configuration with a dedicated test user and update the configuration/mapping based on the test results. Once verified, all your users can be configured to authenticate via SSO.

SSO Just-In-Time (JIT) Provisioning

Experience seamless user management with SeaLights' Just-In-Time (JIT) Provisioning, which dynamically creates and updates user accounts upon successful SSO authentication.

Upon a user's initial login via SSO, an active user account is automatically provisioned in SeaLights, capturing their:

First Name
Last Name
Email
(Optional) Groups
Last Login Time

For all subsequent logins, SeaLights ensures user information stays current by automatically updating their First Name, Last Name, (Optional) Groups, and Last Login Time.

While an Admin can delete an SSO user from SeaLights settings, the user will be re-provisioned upon their next login unless blocked in your Identity Provider.

Benefits of JIT Provisioning:

Automated User Onboarding: New users gain immediate access upon their first SSO login.
Reduced Administrative Overhead: Eliminates the need for manual user creation and updates in SeaLights.
Ensured Data Consistency: User information in SeaLights stays synchronized with your IdP.

Configuration: JIT provisioning is configured as part of your overall SSO setup. During the SSO configuration process (Step 2: Configure Your IdP), ensure that the necessary user attributes, including Role and Groups, are correctly mapped and sent in the SAML response. This allows SeaLights to provision users with the correct roles and group assignments automatically.

PreviousRoles & Permissions NextContact Support

Last updated 2 days ago

Was this helpful?