SSO provides a mean for enterprises to centrally manage and control users authentication and authorization, by using SSO organizations reduce the administrative overhead of managing multiple authentication tokens for each user.
Dome9 Central supports Single Sign On based on SAML 2.0 standard.
When SSO is enabled for a Dome9 account, each user may be configured as an SSO user (default) or a built in user.
A user designated as an SSO user will:
- Have the password managed with the SSO solution provider, thus, password reset in Dome9 will direct the user to reset the password at the IDP's (SSO Provider) site
- Have MFA enabled and managed with the SSO solution provider, thus MFA will be disabled for this user in Dome9 Central
- Dome9 Account Owner can't be configured for SSO - this limitation exist in order to allow at least one user to login to the system should something go wrong with the SSO settings
In order to use Dome9 SSO support:
- The organization must have SAML 2.0 SSO infrastructure in place
- Users must be provisioned in the identity provider's SSO application
- A Dome9 user with the exact same user identity email must be provisioned in Dome9
- The Dome9 user must be assigned privileges using Dome9's Users and Roles.
Integrating and configuring Dome9 for SSO is built on two main scenarios:
- Configuring the Dome9 account for SSO
- Adding or Modifying existing users for SSO
Configure the Dome9 account for SSO
- Login to Dome9 Central with a super user account
- Under the user's menu click Account Settings
- Select SSO
- The SSO settings screen opens, Click Enable:
- The SSO settings page opens. Fill the details in the screen below as provided in your SSO settings page.
The example below was taken from OneLogin SSO settings:
The example below was taken from Okta SSO settings:
- To view the certificate details, in your IDP's SSO setting application, under the certificate context click on view details to see the certificates BASE64 representation and copy it to the X.509 Certificate text area in Dome9 Central.
- Click Save
- The SSO settings will be saved to the account.
- The settings can be edited or disabled using the disable or edit buttons.
Note: Disable SSO will disable SSO settings for all users in the account and will issue a password reset invitation to all SSO users under the account.
Configuring IDP Custom Connector
When using IDP custom application connector, the following details should be used:
- The SSO URL / ACS URL should be: https://secure.dome9.com/sso/saml/yourcompanyname
Where yourcomapnyname is the Account ID string used In Dome's SSO configuration
- The Audience /Entity ID field should be:
- Assertion element should be singed.
Below is an example of Okta custom connector
Configuring specific user for SSO
- With a super user account, login to Dome9 Central and access Users and Roles, the User management screen opens.
- To add a new user to Dome9, Click on Add User:
- Fill the user's details, note that SSO is enabled by default for the user when the account is configured for SSO.
- Click Create, the role settings page will open, attach a Dome9 Role and click close:
- The user will be added to the list of users with SSO designation indicating the the user is an SSO user:
You may also modify the settings for a specific user.
- To disconnect a user from the SSO settings, under the user's action menu, click disconnect from SSO.
- Confirm SSO disconnect in the dialog opened.
- The user will receive a mail notification to reset his password in Dome9.
- To Connect an existing user to SSO, under the user's action menu, click connect to SSO
- In the dialog opened click Connect:
- The user will receive a mail notification to use the SSO login URL instead of the standard Dome9 login form