Single sign-on (SSO)
Securely authenticate your users with multiple applications and websites using just one set of credentials.
Single Sign-On (SSO) is an authentication method that you can use to set up your sign-in requirements and team member access to the Dashboard.
Specifically, Sumsub supports Security Assertion Markup Language (SAML) version 2.0 which allows authentication and team member account creation to be delegated to the Identity Provider (IdP).
Using SSO has two main benefits:
-
Security enhancements
- Allow your team members to access the Dashboard without the need for a password.
- Make the most out of your authentication decisions that you define through an IdP, such as password policies or two-factor authentication.
-
Easily manageable access
- Allow new team members to instantly sign in to the Dashboard using Just-in-Time (JIT) account provisioning.
- Revoke Dashboard access as and when it is needed.
SSO features
We support the following features:
- SSO configuration options. Configure Sumsub accounts to either set up SSO for all team members or to allow sign in using SSO or email and password.
- Just-in-Time account creation. Provision new Sumsub accounts for team members without existing access upon their first SSO sign-in.
- Custom dashboard roles for team members. Configure dashboard roles through the IdP.
- IdP-initiated login. Directly authenticate from an identity provider website or browser extension, assuming the IdP supports service provider-initiated login.
- System for Cross-domain Identity Management (SCIM). SCIM is a protocol that an IdP can use to synchronize user identity lifecycle processes (such as, for example, provisioning and deprovisioning access, populating user details) with the service provider, such as Sumsub.
- Group rules. You can create several user groups signed in via SSO and apply an individual set of permissions to each group.
Configure SSO login
To configure SSO login, go to the SSO Login page and set the following parameters:
Parameter | Description |
---|---|
SP EntityId/Metadata | Link to the XML file which contains metadata and a unique service provider identifier. The file structure shows how and where you need to input your data. |
Domains | Authentication domain(s). |
IdP Entity Id | Unique identity provider identifier. |
Name Id Format | Defines name formats supported by the identity provider. |
SSO Service URL | Can be initiated at the identity provider or service provider site. |
Logout Service URL | Used by a partner to contact the Single logout profile. Can be initiated at the identity provider or service provider site. |
Certificate | An X.509 certificate that holds the corresponding public key along with the metadata related to the organization issued the certificate. The way you generate keys and certificates depends on your development platform and programming language preference. |
Certificate Fingerprint | A certificate digest in the x509 binary format. The fingerprint type depends on the algorithm used to generate the fingerprint. |
Certificate Fingerprint Algorithm | Encryption algorithm used to generate a certificate fingerprint, such as sha1 , sha256 , sha384 , sha512 . |
Email Attribute | SAML attribute used to pass the user email address. |
First Name Attribute | SAML attribute used to pass the user first name. |
Last Name Attribute | SAML attribute used to pass the user last name. |
Groups Attribute | SAML attribute used to pass the assigned user groups. Leave the setting empty to apply default controller permissions to all users signed in via SSO. |
Set group settings
You can create several user groups signed in via SSO and apply an individual set of permissions to each of them.
To create a group:
-
At the bottom of the SSO Login page, click Add group.
-
Provide a group name on the identity provider side.
-
Select a role.
-
Repeat steps 1-2 to create as many groups as you need and save your configuration once done.
Log in with SSO
Once you have configured SSO login:
- Navigate to https://cockpit.sumsub.com and select Use Single sign-on (SSO).
- Provide your email address and complete SSO authentication.
Updated about 1 year ago