Single Sign-On (SSO) is an authentication method that you can use to set up your sign-in requirements and team member access to the Dashboard.

Specifically, Sumsub supports Security Assertion Markup Language (SAML) version 2.0 which allows authentication and team member account creation to be delegated to the Identity Provider (IdP).

Using SSO has two main benefits:

Security enhancements
- Allow your team members to access the Dashboard without the need for a password.
- Make the most out of your authentication decisions that you define through an IdP, such as password policies or two-factor authentication.
Easily manageable access
- Allow new team members to instantly sign in to the Dashboard using Just-in-Time (JIT) account provisioning.
- Revoke Dashboard access as and when it is needed.

SSO features

We support the following features:

SSO configuration options. Configure Sumsub accounts to either set up SSO for all team members or to allow sign in using SSO or email and password.
Just-in-Time account creation. Provision new Sumsub accounts for team members without existing access upon their first SSO sign-in.
Custom dashboard roles for team members. Configure dashboard roles through the IdP.
IdP-initiated login. Directly authenticate from an identity provider website or browser extension, assuming the IdP supports service provider-initiated login.
System for Cross-domain Identity Management (SCIM). SCIM is a protocol that an IdP can use to synchronize user identity lifecycle processes (such as, for example, provisioning and deprovisioning access, populating user details) with the service provider, such as Sumsub.
Group rules. You can create several user groups signed in via SSO and apply an individual set of permissions to each group.

Configure SSO login

To configure SSO login, go to the SSO Login page and set the following parameters:

Parameter	Description
SP EntityId/Metadata	Link to the XML file which contains metadata and a unique service provider identifier. The file structure shows how and where you need to input your data.
Domains	Authentication domain(s).
IdP Entity Id	Unique identity provider identifier.
Name Id Format	Defines name formats supported by the identity provider.
SSO Service URL	Can be initiated at the identity provider or service provider site.
Logout Service URL	Used by a partner to contact the Single logout profile. Can be initiated at the identity provider or service provider site.
Certificate	An X.509 certificate that holds the corresponding public key along with the metadata related to the organization issued the certificate. The way you generate keys and certificates depends on your development platform and programming language preference.
Certificate Fingerprint	A certificate digest in the x509 binary format. The fingerprint type depends on the algorithm used to generate the fingerprint.
Certificate Fingerprint Algorithm	Encryption algorithm used to generate a certificate fingerprint, such as `sha1`, `sha256`, `sha384`, `sha512`.
Email Attribute	SAML attribute used to pass the user email address.
First Name Attribute	SAML attribute used to pass the user first name.
Last Name Attribute	SAML attribute used to pass the user last name.
Groups Attribute	SAML attribute used to pass the assigned user groups. Leave the setting empty to apply default controller permissions to all users signed in via SSO.

Set group settings

You can create several user groups signed in via SSO and apply an individual set of permissions to each of them.

To create a group:

At the bottom of the SSO Login page, click Add group.
Provide a group name on the identity provider side.
Select a role.
Repeat steps 1-2 to create as many groups as you need and save your configuration once done.

Log in with SSO

Once you have configured SSO login:

Navigate to https://cockpit.sumsub.com and select Use Single sign-on (SSO).
Provide your email address and complete SSO authentication.