SaaS Shield Configuration Broker Single Sign On (SSO)

The IronCore Configuration Broker allows each organization to choose the method by which its administrators will authenticate: username and passphrase, SSO using a SAML-based Identity Provider (IDP) that the organization configures, or (for tenant organizations) SSO using a SAML-based IDP that one of their vendors configures. All these SSO and authentication options can be found in the account settings page, under “Organization Settings”.

Organization-provided IDP

If an organization (vendor or tenant) is already using an IDP to do authentication for its own applications and services, this may be the best option. The Configuration Broker can be configured to use that IDP and its associated directory for authentication. Administrators that have already logged in using the IDP will not be prompted again when accessing the Configuration Broker. Administrators that leave the company and can no longer log in using the IDP will not be able to log in to the Configuration Broker.

In order to be usable by the Configuration Broker, the IDP must support SAML-based Single Sign On. Once an administrator for an organization has been invited to access the Configuration Broker and has created their Configuration Broker account and organization, they can configure the organization to use that IDP for authentication. The Configuration Broker UI provides more information about the necessary settings on the IDP and what needs to be provided to the Configuration Broker.

Once the organization is configured to use the IDP, all administrators within that organization must use the SAML-based SSO process before they can access the Configuration Broker.

Vendor-provided IDP

If an organization is a tenant, it can elect to use an IDP provided by one of its vendors for administrator authentication. If the organization does not already have its own SSO, but its administrators log into one of its vendors’ applications, this can be a good option. The UI allows the tenant to choose from IDPs their vendors have explicitly made available to them. If a vendor removes that provided option at any time, the tenant will revert to username/passphrase authentication.

Provisioning

Auto-provisioning is not supported by the Configuration Broker. Newly invited organization admins will need to create a Configuration Broker account with an encryption passphrase. Offboarded admins that have been de-permissioned in the IDP will not be able to log in to Configuration Broker, but they will not have been automatically deleted from Configuration Broker. Eventual deletion is still recommended to remove any possibility of cryptographic access or reversion to access if IDP authentication is ever disabled.