Overview: Single Sign-On (SSO)
IN THIS DOCUMENT
What is Single Sign-On?
Databox supports the SAML 2.0 Single Sign-on login standard. There are multiple Identity Providers supporting SAML SSO (i.e. Okta, OneLogin, Auth0, Azure AD, etc.)
SAML SSO works by transferring the user’s identity from one place (the identity provider, Databox) to another (your service provider). This is done through an exchange of digitally signed XML documents.
Single Sign-On service is available for users on the Performer plan.
How to set up Single Sign-On
Admins in Performer Accounts can set up SSO by navigating to Account Details > Single Sign-on. Click the Single Sign-on (SSO) toggle to start the setup process.
To set up SSO you need to provide:
- Single Sign-on URL: this is an endpoint URL that you received from your Identity provider (i.e. https://idp.example.com/sso/saml)
- Entity ID (also called Audience URL): this is usually in the form of a URL that contains the Identity Provider’s name within it (i.e. https://idp.example.com/unique-id)
- X.509 Certificate: this is the Identity Provider’s public key to sign authentication assertions. There should be a place to download or copy the certificate hash from the Identity Provider. Just paste the certificate hash in the text area field.
When enabling Service Provider authentication, you will be prompted to use the following configuration by your Service Provider:
- ACS (Assertion Consumer Service) URL - value from Callback URL field (e.g. https://dbx-auth.fusionauth.io/samlv2/acs)
- Service Provider Entity ID - value from Issuer field - (e.g. https://dbx-auth.fusionauth.io/samlv2/sp/c065a58b-54e4-4f27-ab46-003203c128ec)
The fields Metadata URL and RelayState are optional and should be used only when required for specific set-ups.
Pro Tip: To enable Identity Provider authentication, please contact Databox's Support Team via live chat or at email@example.com. We will generate a personalized Relay State that you will need to finish the set-up of your Service Provider.
Pro Tip: Service Provider provisioning is not supported. Users need to be created in Databox first and then they can be authenticated via the Identity Provider to login to Databox. We are matching the email in Databox with the email the Identity Provider is returning after authentication.
How to enable SSO with Okta as the Identity Provider
Databox supports the SAML 2.0 Single Sign-on login standard, and there are multiple Identity Providers supporting SAML SSO. Okta is just one of them.
To make the setup in Okta easier, we have a verified Databox application in the Okta Integration Network ready. You can use it to setup Databox in Okta, assign it to your users, and then make the necessary steps in Databox (mentioned above).
Pro Tip: Both Service Provider and Identity Provider initiated login flows are supported. This means you can use the regular login page in Databox or login via Okta’s directory with just one click.
How to remove Single Sign-On
To remove two-factor authentication, navigate to Account > Access and Security. Click the Single Sign-On (SSO) toggle to disable Single Sign-On.