Single sign-on (SSO) is a technology that consolidates multiple application login screens into one. With SSO, users need to enter their login credentials (such as username and password) only once on a single page to gain access to all of their Software as a Service (SaaS) applications.
Requirements
An active Ubidots account with an Enterprise III license.
An account with your preferred identity provider: Auth0 or Microsoft Azure.
1. What's Single Sign-on?
Single sign-on is an authentication method that allows users to securely authenticate across multiple applications and websites using only one set of credentials. This method works based upon a trust relationship set up between an application, known as the service provider, and an identity provider. Moreover, it can be employed by enterprises, small and midsize organizations, as well as individuals, to streamline the management of multiple credentials.
In this case, Ubidots works as the Service provider, and we have included two different Identity providers: Auth0 and Microsoft Azure. Both of them work with SAML 2.0, which serves as our standard Authentication Protocol for configuring SSO on our platform.
Security Assertion Markup Language (SAML) is a login standard that facilitates user access to applications across different contexts based on sessions. It serves as a single sign-on (SSO) login method, providing more secure authentication and enhancing user experience compared to traditional usernames and passwords.
2. Auth0 configuration
To configure a SSO to your Ubidots application, within an Auth0 configuration, follow this step by step:
Open the Apps module, then click on edit your application. Go now to Domain section and finally copy the app domain to the clipboard.
Go now to your Auth0 portal, then open de Applications dropdown and click on Applications. Here you can create a new application.
On the creation drawer, you just need to set a name for your application and select the native type.
Open the application settings
Go down to Application URLs section and type the following into the Allowed Callback URLs field:
https://<app_domain>:443/saml2/acs/
<app_domain> is the domain that you've copied on the first step of the process.
Don't forget to save the changes on your Auth0 app.
Go down to Advanced settings and open the Endpoints section.
Go down to SAML Endpoints and copy the SAML Metada URL.
Here you just need to paste the URL on another browser window and a XML file will be downloaded on your computer.
Go back to your Ubidots account, open the app settings and click on Auth section.
Into the Single Sign-On configuration, you need to fill the following fields:
Enable SSO: enable the toggle to activate the SSO on the app.
Identify provider: select Auth0.
Application name: The application name you want to assign.
SAML Metadata: upload the XML file you downloaded on the step 8.
Organization for new users: select an organization for your end user.
Default role: select a role for your end user.
After saving successfully the changes, you can continue with Testing SSO and general features section.
3. Microsoft Azure configuration
To configure a SSO to your Ubidots application, within an Azure configuration, follow this step by step:
Open the Apps module, then click on edit your application. Go now to Domain section and finally copy the app domain to the clipboard.
Go now to your Microsoft Azure portal and look for Enterprise Applications into the Azure services section.
Click on the button +New application.
Click on the button +Create your own application.
Set a name for your app and select the option Integrate any other application you don't find in the gallery (Non-gallery). Then, click on create.
Now, into the application overview, go to section 1. Assign users and groups.
Click on the button +Add user/group.
Click on None selected (Users) and select all the users you want to assign to the app. Then, click on Assign.
Now, into the left panel, click on Single Sign-On and then select SAML option.
Click on edit Basic SAML configuration.
Here you need to fill each field with the following information. At the end, don't forget to save the configuration.
Identifier: https://<app_domain>:443/saml2/metadata/
Reply URL: https://<app_domain>:443/saml2/acs/
Sign on URL: https://<app_domain>:443/
Relay State: https://<app_domain>:443/
Logout Url: https://<app_domain>:443/saml2/sls/
<app_domain> is the domain that you've copied on the first step of the process.
After saving the SAML configuration, go down to SAML Certificates and download the Federation Metadata XML file.
Go back to your Ubidots account, open the app settings and click on Auth section.
Into the Single Sign-On configuration, you need to fill the following fields:
Enable SSO: enable the toggle to activate the SSO on the app.
Identify provider: select Azure.
Application name: The application name you want to assign.
SAML Metadata: upload the XML file you downloaded on the step 12.
Organization for new users: select an organization for your end user.
Default role: select a role for your end user.
After saving successfully the changes, you can continue with Testing SSO and general features section.
4. Testing SSO and general features
Following the SSO configuration, end users only need to access your app domain. If they are already logged into their Auth0 or Azure account, Ubidots will seamlessly authenticate them into the app. If not, we will prompt them for their Identity Provider credentials, without requiring a separate username and password.
Auth0 Authentication
Azure Authentication
Keep the following considerations in mind:
An application can only have one SSO configuration, either Auth0 or Azure, but not both simultaneously.
Each time you change your Identity Provider (IDP), the XML file will be replaced. This implies that we do not store files. Therefore, if you wish to revert to your previous configuration, you will need to upload the respective file again.
You can log into the app with any user, whether they are created or not on the end users list. If the user is not created, Ubidots will create the end user profile, assigning the respective organization and role configured in the SSO settings.
Note: For Auth0, we utilize the account email, whereas for Azure, we employ the end user email, not the email associated with the Azure portal.
An end user who is already created in Ubidots but not assigned to any organization or role can also log into the app with the SSO configuration. Ubidots will assign the respective organization and role configured in the SSO settings.
An end user who is already created in Ubidots and also is assigned to an organization and a role can also log into the app with the SSO configuration. In this case, the current organization will stay in the user and Ubidots will assign the organization and role configured in the SSO settings. Subsequently, the user will be assigned to multiple organizations.
An end user who is already created in Ubidots and also is assigned to the same organization which is configured in the SSO settings, can also log into the app. In this case, the current role of the user will be deleted and Ubidots will assign him the new role taken from the SSO configuration.