Skip to main content
supports single sign-on (SSO) via either the SAML 2.0 or OpenID authentication protocols. This feature enables identity providers such as Microsoft Entra ID (formerly Azure Active Directory) or Okta, which support these protocols, to serve as SSO platforms for .

Overview

Enabling SSO requires that you configure a group of settings on the SSO tab of the Settings page. When you configure the SSO settings, users that are created within should be given a federation Identifier (Id). This federation Id associates a username with an identity provider entity. When the user attempts to log in to the application, it is redirected to the SSO platform where the credentials for the appropriate identity must be entered. If Just-in-Time (JIT) user provisioning is enabled (also from the SSO tab), a new user account is automatically created in at the time of login, based on attributes that are received from the identity provider (for example, the user’s name and email address). This identity and access management (IAM) process streamlines onboarding by eliminating the need for manual account creation. For more details, see Just-in-Time (JIT) User Provisioning. After SSO is configured and users have a federation Id value to associate them with an identity provider (IdP), you can perform additional configuration either in Sync (for example, enabling JIT provisioning) or directly in the IdP, as explained in later sections.
supports group-based access via the group-to-role mapping feature in JIT provisioning. You can map group identifiers that are provided by the IdP to roles. Each user must still log in individually, but role assignment can be automated based on IdP group membership.
The following sections explain how to set up SSO configuration through two identity providers, Microsoft Entra ID and Okta, with the OpenID Connect and SAML 2.0 authentication protocols.

Configuring Microsoft Entra ID for SSO

The following sections explain how to set up Microsoft Entra ID for SSO via either OpenID Connect or SAML 2.0.

OpenID Connect Configuration

Single sign-on (SSO) with Microsoft Entra ID streamlines access to , enabling just-in-time provisioning at the time of login. The following steps explain how to set up Microsoft Entra ID for SSO with the OpenID Connect protocol.
  1. Log in to the Azure portal and open Microsoft Entra ID.
  2. Log in to and select Settings > SSO to open the Single Sign-On (SSO) Settings dialog box.
  3. Navigate to Entra ID > App registrations > New registration and create an application registration for . Follow the prompts to complete the process.
  4. In your application registration, set the redirect URL to the Callback URL value that is specified in the Single Sign-On (SSO) Settings dialog box in , as shown below. OpenID Connect callback URL configuration
  5. In the Single Sign-On (SSO) Settings dialog box in , specify the following properties:
    1. Set the Client ID property to the value of Application (client) Id that is found in the new application registration that is shown below. Application client ID
    2. Set the Client Secret property to the value of the new client secret that you generated in Entra ID.
    3. Set Discovery URL to the OpenID Connect MetaData document value from the Endpoint page in your application registration. Then, click Import to import the remaining settings into .
  6. Click Save and Test in to verify the SSO configuration. opens a new tab and prompts you to sign in to your Microsoft account. If the test succeeds, displays a success message along with claim details.
  7. (Optional) Update your user account with your federation Id.
    1. Copy the federation Id from the Single Sign-On (SSO) Settings dialog box in the step 5.
    2. Navigate to Settings > Users. Then, locate your user account and click Edit.
    3. Add the federation Id to your user account. Then click Save to save your change and exit the dialog box.
At this point, you have completed the basic OpenID Connect SSO setup, allowing your users to log in to through Microsoft Entra ID.

SAML 2.0 Configuration

With SAML-based single sign-on (SSO), users can seamlessly authenticate through their organization’s identity provider, enabling just-in-time provisioning at the time of login. The following steps explain how to set up Microsoft Entra ID SSO with the SAML 2.0 protocol.
  1. Log in to the Azure portal and open Microsoft Entra ID and navigate to the Enterprise applications page.
  2. Select New application > Create your own application. In the Create your own application dialog box:
    1. Enter a name for your application (for example, CData Sync).
    2. Specify what you want to do with your application by selecting one of the options under What are you looking to do with your application?
    3. Click Create.
  3. In your newly created application, select Set up single sign on.
  4. Select SAML as the sign-on method.
  5. Log into and select Settings > SSO. On that SSO tab, click Configure in the Single Sign On (SSO) Settings section. This action displays the Single Sign On (SSO) Settings dialog box.
  6. Select SAML 2.0. This selection displays the Assertion Consumer Services (ACS) URL and the audience URI. SAML 2.0 settings
    Keep this dialog box open because you need to return to it later in these steps.
  7. In Entra ID, set Reply URL (Assertion Consumer Service URL) to the Assertion Consumer Services (ACS) URL value in . Then, set Identifier (Entity ID) in Entra ID to the Audience URI value in .
    Leave the Sign on URL text box empty if you plan to use sign-on initiated by your identity provider.
  8. In the Single Sign-On (SSO) Settings dialog box, set Discovery URL to the App Federation Metadata URL value that is found in Entra ID. Then, click Import to import the remaining settings into .
  9. Click Save and Test in to verify the SSO configuration. opens a new tab and prompts you to sign in to your Microsoft account. If the test succeeds, displays a success message along with claim details.
  10. (Optional) Update your user account with your federation Id.
    1. Copy the federation Id from the Single Sign-On (SSO) Settings dialog box in the step 9.
    2. Navigate to Settings > Users. Then, locate your user account and click Edit.
    3. Add the federation Id to your user account. Then click Save to save your change and exit the dialog box.
At this point, you have completed the basic SAML SSO setup, allowing your users to log in to through Microsoft Entra ID.

Configuring Okta for SSO

The following sections explain how to set up Okta for SSO via either OpenID Connect or SAML 2.0.

OpenID Connect Configuration

Single sign-on (SSO) with Okta streamlines access to , enabling just-in-time provisioning at the time of login. The following steps explain how to set up Okta for SSO with the OpenID Connect protocol.
  1. Log in to the Okta Admin Console and select Applications > Applications > Create App Integration. Okta Create App Integration
  2. In the Create a new app integration dialog box, select OIDC - OpenID Connect for Sign-in method and Web Application for Application type. Then click Next. Okta OIDC app type selection
  3. Log in to and select Settings > SSO to open the Single Sign-On (SSO) Settings dialog box.
  4. In Okta, set the redirect URI to the Callback URL value that is specified in the Single Sign-On (SSO) Settings dialog box in , as shown below. Okta redirect URI configuration Then, click Next to create your application.
  5. Locate and copy the Issuer URL, as follows.
    1. Click the Sign-On tab for your application in the Okta Admin Console.
    2. Scroll to the OpenID Connect ID Token section.
    3. Copy the URL from the Issuer field.
    If you want to sign in through an authorization server, you must obtain the Issuer URL for that particular server. In the Okta Admin Console, click Security in the left navigation pane, and then select API to display the Authorization Servers list. Locate your authorization server and copy the URL from the Issuer field.
  6. In the Single Sign-On (SSO) Settings dialog box in , specify the following properties:
    1. Set the Client ID and Client Secret properties to the corresponding values that are found on the General tab in Okta
    2. Set Discovery URL to Issuer URL that you copied previously, and append the OpenID Connect Discovery endpoint (.well-known/openid-configuration). Example: https://MyOrganization.okta.com/.well-known/openid-configuration Then, click Import to import the remaining settings into .
  7. Click Save and Test in to verify the SSO configuration. opens a new tab and prompts you to sign in to your Microsoft account. If the test succeeds, displays a success message along with claim details.
  8. (Optional) Update your user account with your federation Id.
    1. Copy the federation Id from the Single Sign-On (SSO) Settings dialog box in the step 5.
    2. Navigate to Settings > Users. Then, locate your user account and click Edit.
    3. Add the federation Id to your user account. Then click Save to save your change and exit the dialog box.
At this point, you have completed the basic OpenID Connect SSO setup, allowing your users to log in to through Okta.

SAML 2.0 Configuration

With SAML-based single sign-on (SSO), users can seamlessly authenticate through their organization’s identity provider, enabling just-in-time provisioning at the time of login. The following steps explain how to set up Okta for SSO with the SAML 2.0 protocol.
  1. Log in to the Okta Admin Console and select Applications > Create App Integration. This step opens the Create a new app integration dialog box.
  2. Select SAML 2.0 as the sign-in method. Then, click Next, which opens the Create SAML Integration dialog box.
  3. Enter a descriptive name (for example, ) for your application in the App Name text box. You can also add a logo for your application, if you choose. Then, click Next.
  4. In the application, click the SSO tab on the Settings page. On that tab, click Configure in the Single Sign On (SSO) Settings section. This action displays the Single Sign On (SSO) Settings dialog box.
  5. Select SAML 2.0. This selection displays the Assertion Consumer Services (ACS) URL and the audience URI. SAML 2.0 settings
    Keep this dialog box open because you need to return to it later in these steps.
  6. In Okta, enter the Assertion Consumer Services (ACS) URL value from into the Single sign on URL text box. Then, enter the Audience URI value from into the Audience URI (SP Entity ID) text box. You can leave the default settings for the remaining Okta fields.
  7. In , set Discovery URL to the domain of your registered Okta organization, followed by /oauth2/default/.well-known/openid-configuration. Example: Then, click Import to import the remaining settings into .
  8. Click Save and Test in to verify the SSO configuration. opens a new tab and prompts you to sign in to your Microsoft account. If the test succeeds, displays a success message along with claim details.
  9. (Optional) Update your user account with your federation Id.
    1. Copy the federation Id from the Single Sign-On (SSO) Settings dialog box in the step 8.
    2. Navigate to Settings > Users. Then, locate your user account and click Edit.
    3. Add the federation Id to your user account. Then click Save to save your change and exit the dialog box.
At this point, you have completed the basic SAML SSO setup, which enables you to log in to through Okta.

Just-in-Time (JIT) User Provisioning

As mentioned earlier, Just-in-Time user provisioning enables to create and manage user accounts automatically at first login by using information that is provided by your identity provider. JIT provisioning is particularly useful when users access through an identity provider for the first time, and the application receives a secure message confirming their identity. The resulting account is assigned a default role, as specified in the SSO settings. This functionality streamlines user onboarding and ensures account details remain consistent with identity claims. When a user logs in to by using SAML or OpenID Connect, searches for that user via a federation Id.
  • If a user does not exist, first uses group-to-role mappings to assign a role. If no mapping is found, then checks the default role. If no group-to-role mapping is found and no default role is configured, the user account is created without a role.
  • If a user already exists, only uses group-to-role mappings to match the user’s current role. If the mapping and current role do not match, updates the user’s current role. There is no default-role matching during this process.

Requirements and Mappings in your Identity Provider

Identity-provider requirements vary depending on whether you use SAML 2.0 or OpenID Connect. This section explains claim requirements for each authentication method. OpenID Connect
  • By default, subcontrols are mapped to the user’s role and the claim is mapped to the federation Id. As an option, admin users can use a different field (for example, oid) by setting the Key Claim property in (Settings > SSO > User Provisioning).
  • The email claim maps to Email Address in .
  • The preferred_username claim maps to name in .
SAML 2.0
  • The NameID and Email claims are required.
  • (Optional) You can add the Name claim, which maps to Username in .
  • (Optional) You can add the Role claim, which controls the user’s role.

JIT Configuration in

To enable and configure JIT provisioning in :
  1. Enable JIT provisioning, as follows:
    1. Select Settings > SSO in .
    2. Click the Edit icon (Edit icon) to open the User Provisioning dialog box. JIT configuration dialog
    3. Select Enabled under the JIT Provisioning label.
    4. (Optional) If one is not set already, select a default role from the SYNC ROLES list.
    5. Click Save to save your selection and exit the dialog box.
When a user logs in, adjusts the role based on the following order:
  1. If the group-to-role mapping finds a match, applies the mapped role or roles.
  2. If the claim contains a role, searches for that role and updates the user account.
  3. If the group claim does not exist or there is no mapped role, the application uses the default role.
  4. If a default role is not configured, the user account has no role and the Admin user must update the user’s role manually.

Group-to-Role Mapping

In addition to assigning roles through a role claim or a default role, supports mapping of Identity Provider (IdP) groups to roles. This feature is useful when your IdP (for example, Microsoft Entra ID) issues group identifiers in the authentication token instead of role names. To configure group-to-role mappings in :
  1. Select Settings > SSO and click Edit (Edit icon) to open the User Provisioning dialog box.
  2. Scroll to the GroupMapping section and click Add mappings to open new mapping fields. Group mapping fields
  3. Enter the value that is returned by your IdP, according to the checks made by :
    • OpenID Connect: checks only the value of the groups claim in the IdP response.
      With Okta, the claim can contain group names; with Microsoft Entra ID, the claim contains group identifiers (GUIDs). Configure your mapping to match whatever your IdP issues.
    • SAML 2.0: checks only the value from the role claim.
    Then, select one or more roles to which you want to map the group. Group to role mapping
  4. When you finish adding mappings, click Save to exit the dialog box. When a user logs in with JIT provisioning, assigns roles according to the rules described earlier in Requirements and Mappings in Your Identity Provider.
To delete a mapping, click the Delete icon (Delete icon).