New article
Recently updated
Configuring single sign-on (SSO) for Ideagen Hub
Who is this article for?
IT Administrators configuring their own Identity Provider (IdP) for single sign-on.
Hub Administrator permissions and Identity Provider portal access are required.
Single Sign-On (SSO) allows your users to access Ideagen Hub using the same account credentials they use within your organisation — streamlining access, improving security, and reducing password fatigue.
This article will outline the benefits and steps you need to take to set up SSO.
1. Benefits of SSO
- Seamless login experience for users
- Centralised identity management
- Enhanced security and compliance
- Reduced support requests for password resets
2. Enabling SSO
Ideagen Hub supports SSO integration using either the OIDC or SAML 2.0 protocol. By default, SSO is disabled on all Ideagen Hub systems.
2.1 Considering constraints
SAML
Below are key constraints we've identified so far when integrating SAML-based identity providers with Ideagen Hub. Your configuration may differ and the integration process may highlight additional considerations unique to your environment.
| SAML Feature | Available in Hub | IDP | Supported by IDP | Notes |
|---|---|---|---|---|
| Single Signout | Yes | Microsoft Entra | No | Requires LogoutResponse via HTTP POST; Entra only supports HTTP GET. |
| Okta | Yes | |||
| Google Workspace | No | Does not support Single Sign-Out. | ||
| IDP-Initiated | No | Microsoft Entra | Yes | Currently investigated for future roadmap. |
| Google Workspace | Yes | |||
| SP-Initiated | Yes | Microsoft Entra | Yes |
|
| Okta | Yes | |||
| Google Workspace | Yes | Attribute must be mapped using the exact app attribute name specified in Google Workspace. | ||
| Require encrypted SAML assertion | Yes | Keycloak | Yes | |
| Google Workspace | No | Does not support SAML encryption. | ||
| Attribute Mapping | Yes | Keycloak | Yes | |
| Microsoft Entra | Yes | Attribute may need to be mapped with full URI format depending on the customer's IDP configuration e.g. To map email address, the OpenID Connect attribute may be entered as: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress or just emailaddress or any other name the customer's organization has defined as the claim name for the user.email value. | ||
| Okta | Yes | |||
| Google Workspace | Yes | |||
| Sign SAML Request | Google Workspace | No | Does not support Sign SAML request. |
SAML and OIDC
For customers provisioned on or after Release 5.2, both the email and preferred_username attributes need to be mapped:
email is still used for SSO to Ideagen Luminate.
preferred_username should be the unique identifier you choose to represent the user in your organization.
3. Configuring SSO
Once you have the provider metadata, you can configure the provider in Ideagen Hub.
To configure a provider:
- Access the Admin Console.
- Switch to the Security Centre tab.
- Click Configure next to the External IDP Configuration option.
- Click Add identity provider.
- Select the option that aligns with your organization's setup.
- Fill out mandatory fields (marked with a red asterisk).
If an identity provider has already been set for a Tenant, the Tenant Admin can either delete the settings if it is no longer required or update the necessary information as needed.
4. SAML configuration
To configure SAML:
- Obtain the following from the Ideagen Hub SAML Configuration screen:
- Identifier (Entity ID)
- Reply URL (Assertion Consumer Service URL)
- Signing certificate (available after applying configuration)
- Provide your identity provider's configuration via:
- Metadata URL (recommended)
- Upload metadata file (XML format)
- Depending on when Ideangen Hub has been provisioned for your organization, you may be required to either map an email and/or preferred username attribute.
- If you see the email User pool attribute on the screen, map this to your email address attribute name.
- If you see the preferred_username User pool attribute on the screen, map this to any attribute that represents a unique username for your organization. This may not necessarily be an email address.
4.1 How to map SAML attribute for Microsoft Entra
In Microsoft Entra ID, the claim name can be either a full URL or a specific name assigned to the claim. This arrangement depends on your organisation's settings and may vary from one organisation to another.
Claim name as full URL
Based on the above example, the SAML attributes value that you should map to the User pool attribute email should be based on the Claim name i.e. the full URL.
Claim name that is not a full URL but a given name
Based on the above example, the SAML attributes value that you should map to the User pool attribute email should be based on the given name for the Claim.
5. OIDC configuration
To configure OIDC:
- Obtain the following from the Ideagen Hub OIDC Configuration screen:
- Redirect URI
- Signing certificate
- Depending on when Ideangen Hub has been provisioned for your organization, you may be required to either map an email and/or preferred username attribute.
- If you see the email User pool attribute on the screen, map this to your email address attribute name.
- If you see the preferred_username User pool attribute on the screen, map this to any attribute that represents a unique username for your organization. This may not necessarily be an email address.
6. Logging in with SSO
Once everything is configured, users will see a new sign in option on the Ideagen Hub sign in page.
Before any users can use the new sign in option, you will need to convert the user’s authentication type from Internal to External.