SSO configuration

As the owner or admin of your organization, you have the option of configuring an IdP for your DeepCloud organization. This has the advantage that all users who log in with the verified domain must log in via this IdP in future.

Requirements
The requirements for the SSO configuration are:

• A domain verification is active
• At least subscription Large
• Connection of the IdP possible via OpenID Connect
• All users must have filled the “email” attribute in the IdP configuration with the email address with which the user logs on to the DeepBox.

Domain verification must be carried out before the SSO configuration.

How to configure domain verification is described in this article .

SSO configuration DeepCloud

1. Go to the DeepAdmin > organisation and click on “Edit” under “Domain Verification / SSO Configuration” . The “Domain Verification / SSO Configuration” dialog is displayed.
2. In the newly opened dialog, click on “SSO configuration”
3. Fill in the values according to your IdP:
   – Client ID
   – Secret client key
   – OpenID configuration URL
   
4. Add the designated redirection URL in the app integration of your IdP
5. Check the “Activate SSO” box and click “Save”.

NOTE!
As soon as the SSO configuration is activated, the users of the corresponding domain can only log in to the DeepBox via this SSO configuration.

Set up SSO configuration in Microsoft Entra-ID

1. Search for the app registrations in the Azure portal
   Go to the Azure portal and navigate to Azure Active Directory > Microsoft Entra ID > App registrations.
2. Click on “New registration”
   a. Give the app integration a suitable name, e.g. “DeepCloud” (this will be displayed to users when they initially log in)
   b. Define which users have access to the web app integration. (Recommendation: All users of the organization have access)
   c. Insert the redirect URL from the DeepCloud SSO configuration as redirect URI
   d. Finish
3. Now copy the Application (Client) ID into the SSO configuration of the DeepCloud
4. Create a new client secret and copy the secret into the SSO configuration of the DeepCloud
   a. Navigate to Certificates & secrets
   b. Add a new client
   i. Enter a suitable description
   ii. Select the validity period
   iii. Finish
   c. Copy the value of the secret into the SSO configuration of the DeepCloud (ATTENTION: The secret is only displayed initially, after that it can no longer be viewed)
5. The OpenID configuration URL can be found at Entra ID in the endpoints > OpenID Connect metadata document

Optional: In order for the user information to be updated at login (e.g. name change on marriage), this information must be added to the ID token.

1. Add claims for the ID token
   a. Navigate to Token configuration
   b. Add the following claims to the ID token via “Add optinal claim”: email, familiy_name, given_name
2. Extend the permissions of the Graph API
   a. Once the claims have been added, the required Microsoft Graph authorizations (email, profile) can be added directly.

Set up SSO configuration in OKTA

1. Navigate Okta Admin Dashboard to the application
   Go to the Okta Admin Dashboard and navigate to Applications > Applications.
2. Click on “Create App Integration”
   a. Select “OIDC – OpenID Connect” as the sign-in method
   b. Select “Web Application” as the application type
   c. Give the app integration a suitable name, e.g. “DeepCloud” (this will be displayed to users when they log in)
   d. Insert the redirect URL from the DeepCloud SSO configuration as the sign-in redirect URI
   e. Define which users have access to the web app integration. (Recommendation: All users of the organization have access)
   f. Finish
3. Now copy the client ID and the client secret into the SSO configuration of the DeepCloud
4. You can find the OpenID configuration URL at OKTA under Security > API.
5. Select the desired Authorization Server that you want to use for the DeepCloud application. Normally this is “Default” and open the settings
   a. The Metadata URI is specified under Settings. You can transfer these to the SSO configuration of the DeepCloud

Deactivating the SSO configuration

The SSO configuration can only be deactivated by sending an email to support[at]deepcloud.swiss.