Single Sign-On

In this topic:

    Single Sign-On (SSO) provides a mean for enterprises to centrally manage and control users authentication and authorization.

    Using SSO organizations reduce the administrative overhead of managing multiple authentication tokens for each user.

    A user logs in with a single ID and password to gain access to a connected system or systems without using different usernames or passwords

    Dome9 supports Single Sign On based on SAML 2.0 (https://en.wikipedia.org/wiki/SAML_2.0).

    When SSO is enabled for a Dome9 account, each account user can be configured to use SSO authentication (default), or a built-in user authentication.

    Users with SSO

    A user configured to use SSO:

    • password managed by the SSO identity provider, so a password reset in Dome9 will direct the user to reset the password on the IDP (SSO Provider).

    • Have MFA enabled and managed with the SSO solution provider, so MFA will be disabled for this user in Dome9 Central

    A Dome9 Account Owner cannot t be configured for SSO. This restriction is a failsafe in order to allow at least one user to be able to login to the Dome9 system if something goes wrong with the SSO identity provider.

     

    Configure SSO

    Pre-requisites

    • The organization must have a SAML 2.0 SSO infrastructure in place

    • Users must be provisioned in the identity provider's SSO application

    • A Dome9 user with the same user identity email must be provisioned in Dome9

    • The Dome9 user must be assigned permissions in Dome9.

     

    SSO end user login

    An end user configured for SSO can login to Dome9 in the following ways:

    1. Login through the SSO solution provider login page (IDP-initiated), and from there select the Dome9 application;

    2. Access the Dome9 console with the following URL, https://secure.dome9.com/sso/yourcompanyname, which will redirect the user to login using the SSO solution provider login page and, once successfully authenticated there, redirect the user back to the Dome9 consolel (SP-initiated)

    Login with the Service Provider (SP) initiated flow:

    1. Navigate to https://secure.dome9.com/sso/yourcompanyname, where your company name is the Account ID identifier configured in the SSO settings page.

    2. You will be redirected to the SSO provider's login page.

    3. Login on the SSO provider's site.

    4. You will be redirected back to the Dome9 console, with an authenticated session with the Dome9 user corresponding to the user on the SSO site (with the same user email).

    Login with the IDP initiated flow:

    1. Navigate to the login page for the SSO provider, and login there, using the SSO user name.

    2. Select Dome9 as the destination site.

    3. You will be redirected to the Dome9 console,with an authenticated session with the Dome9 user corresponding to the user on the SSO site (with the same user email).