Overview: Single Sign-On (SSO)
IN THIS DOCUMENT
What is Single Sign-On?
Note: Single Sign-On is available for users on the Business plan.
How to set up Single Sign-On
Databox supports the SAML 2.0 Single Sign-on login standard. There are multiple Identity Providers supporting SAML SSO (i.e. Okta, OneLogin, Auth0, Azure AD, etc.)
SAML SSO works by transferring the user’s identity from one place (the identity provider, Databox) to another (your service provider). This is done through an exchange of digitally signed XML documents.
Admins can set up SSO by navigating to Account Details > Single Sign-on. Click the Single Sign-on (SSO) toggle to start the setup process.
To set up SSO you need to provide:
- Single Sign-on URL: this is an endpoint URL that you received from your Identity provider (i.e. https://idp.example.com/sso/saml)
- Entity ID (also called Audience URL): this is usually in the form of a URL that contains the Identity Provider’s name within it (i.e. https://idp.example.com/unique-id)
- X.509 Certificate: this is the Identity Provider’s public key to sign authentication assertions. There should be a place to download or copy the certificate hash from the Identity Provider. Just paste the certificate hash in the text area field.
Lastly, you can require all users to use the SSO option with the Force SSO toggle. If you'd still like to leave the option for them to sign in with their Databox credentials (or Google Sign-in method), you can leave it turned off. The Account Owner always has the option to use the non-SSO credentials to log in to Databox.
Pro Tip: Service Provider provisioning is not supported. Users need to be created in Databox first and then they can be authenticated via the Identity Provider to login to Databox. We are matching the email in Databox with the email the Identity Provider is returning after authentication.
How to enable SSO with Okta as the Identity Provider
Databox supports the SAML 2.0 Single Sign-on login standard, and there are multiple Identity Providers supporting SAML SSO. Okta is just one of them.
To make the setup in Okta easier, we have a verified Databox application in the Okta Integration Network ready. You can use it to setup Databox in Okta, assign it to your users, and then make the necessary steps in Databox (mentioned above).
Pro Tip: Both Service Provider and Identity Provider initiated login flows are supported. This means you can use the regular login page in Databox or login via Okta’s directory with just one click.
How to remove Single Sign-On
To remove two-factor authentication, navigate to Account > Access and Security. Click the Single Sign-On (SSO) toggle to disable Single Sign-On.