# SSO Authentication SeaLights supports Single Sign-On (SSO) authentication via SAML 2.0, allowing users to access the platform using their organization's identity provider (IdP) credentials. This provides a seamless and secure login experience. ### SSO Setup Prerequisites * A SAML 2.0 compliant Identity Provider (IdP). * Involvement of your IT department and individuals with relevant permissions from both your IdP and SeaLights. ### How to Set Up SSO 1. **Contact SeaLights Support:** Open a request to SeaLights Support to obtain the necessary Service Provider (SP) details: * Assertion Consumer Service (ACS) URL * Audience URI * SeaLights certificate 2. **Configure Your IdP:** Set up a SAML 2.0 application on your Identity Provider using the information provided by SeaLights. * Configure the SAML response to send the following attributes for each user (step 4 in the diagram below): * **E-mail address, First Name, Last Name:** These standard attributes are used to populate the basic user profile in SeaLights. * **Role Attribute:** This attribute is used to map a user to one of the predefined SeaLights roles: `user`, `user-admin`, or `user-devops`. * The value for this attribute can be any value from your IdP that can be clearly mapped to a SeaLights role. This mapping is configured on the SeaLights side. Your IdP can send a single value or multiple values for this attribute, as long as a clear mapping exists. * **Groups Attribute (Optional):** A list of groups the user belongs to for assigning app access in SeaLights. * **Permissions Attribute (Optional):** A list of permissions the user belongs to for assigning app access in SeaLights. * The value for this attribute can be any value from your IdP that can be clearly mapped to a SeaLights permission. This mapping is configured on the SeaLights side. Your IdP can send a single value or multiple values for this attribute, as long as a clear mapping exists. 3. **Provide IdP Metadata to SeaLights:** Once your IdP is configured, provide SeaLights with either: * The IdP metadata.xml file (preferred), OR * The Issuer URI, the SSO URL, and the certificate. 4. **Testing and Activation:** You can test the configuration with a dedicated test user provided by Sealights. Sealights will update the configuration/mapping based on the test results. Once verified, all your users can be configured to authenticate via SSO.

*** ### SSO Just-In-Time (JIT) Provisioning Experience seamless user management with SeaLights' Just-In-Time (JIT) Provisioning, which dynamically creates and updates user accounts upon successful SSO authentication. Upon a user's **initial login** via SSO, an active user account is automatically provisioned in SeaLights, capturing their: * First Name * Last Name * Email * Role * (Optional) Groups * Last Login Time For **all subsequent logins**, SeaLights ensures user information stays current by automatically updating their First Name, Last Name, (Optional) Groups, and Last Login Time. {% hint style="info" %} While an Admin can delete an SSO user from SeaLights settings, the user will be re-provisioned upon their next login unless blocked in your Identity Provider. {% endhint %} **Benefits of JIT Provisioning:** * **Automated User Onboarding:** New users gain immediate access upon their first SSO login. * **Reduced Administrative Overhead:** Eliminates the need for manual user creation and updates in SeaLights. * **Ensured Data Consistency:** User information in SeaLights stays synchronized with your IdP. **Configuration:** JIT provisioning is configured as part of your overall SSO setup. During the SSO configuration process (Step 2: Configure Your IdP), ensure that the necessary user attributes, including `Role` and `Groups`, are correctly mapped and sent in the SAML response. This allows SeaLights to provision users with the correct roles and group assignments automatically.