Hi @Nick ,
The setup is reasonably easy. One thing to keep in mind is that if you are using your work email address to access the dashboard and also intend to use it in SAML, you will have to do one or the other. One way to do it is using a service account not attached to SAML and have all admins in the SAML group.
A couple pointers from the documentation:
- Limited Single Logout (SLO) is available. Dashboard will use the SLO URL to redirect users after they logout of Dashboard, and then can be used to link into SLO with the IdP if supported, but Dashboard does not support receiving SAML LogoutRequests from the IdP.
- Only SAML 2.0 is supported.
- Dashboard only supports IdP-Init. Users must first authenticate with the IdP and then be passed to Dashboard with a valid token.
- While IdP platforms may have a variety of other fields, in most cases they can be left blank or at default settings. Only the above information is critical for Dashboard compatibility.
SAML SSO for MSPs
SAML does support the use of multiple organizations. Similarly to traditional logins, it needs to determine that the user is identical across the affected organizations. Thus, for this to occur, the following must be identical across the designed organizations:
- X.509 cert fingerprint for the organization
- SAML administrator role (as only one role attribute can be used in the token)
- The permissions granted can be different in each Organization, but the role name must be identical
When this occurs, the user will be directed to the MSP portal and receive the desired permissions in each organization. The Consumer URL for any of the MSP organizations can be used, as they will all direct the user to the MSP portal.
Found this helpful? Give me some Kudos! (click on the little up-arrow below)