You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/segment-app/iam/sso.md
+22-20Lines changed: 22 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,15 +2,15 @@
2
2
title: "Single Sign On team management"
3
3
---
4
4
5
-
Segment supports Single Sign On for Business Tier accounts. You can use any SAML-based Identity Provider (IDP), for example Okta, Bitium, OneLogin, or Centrify, or use GSuite to serve as your identity provider, delegating access to the application based on rules you create in your central identity management solution.
5
+
Segment supports Single Sign On for Business Tier accounts. You can use any SAML-based Identity Provider (IdP), for example Okta, Bitium, OneLogin, or Centrify, or use GSuite to serve as your identity provider, delegating access to the application based on rules you create in your central identity management solution.
6
6
7
-
With SSO, you have centralized control over your users' ability to authenticate or not in your IDP, and can also enforce rules like two-factor authentication or password rotation at the IDP level.
7
+
With SSO, you have centralized control over your users' ability to authenticate or not in your IdP, and can also enforce rules like two-factor authentication or password rotation at the IdP level.
8
8
9
-
You can configure as many IDP connections to your workspace as needed to support IDP-initiated authentication. This allows seamless migration from one system to a new one, for example if your organization switches IDP vendors or switches from GSuite to a dedicated SAML IDP like Okta or OneLogin.
9
+
You can configure as many IdP connections to your workspace as needed to support IdP-initiated authentication. This allows seamless migration from one system to a new one, for example if your organization switches IdP vendors or switches from GSuite to a dedicated SAML IdP like Okta or OneLogin.
10
10
11
11
To enable SSO-based login from the Segment login page (app.segment.com/login), you must first verify that you own the domain, and connect it to your organization's Segment account. Once you have done that, SSO users from your domain can use the Segment login page to access your default Segment workspace.
12
12
13
-
The Segment login page can only be connected to one workspace. To use your IDP with multiple workspaces, you will have to initiate login to the other workspaces from the IDP instead of through the login portal.
13
+
The Segment login page can only be connected to one workspace. To use your IdP with multiple workspaces, you will have to initiate login to the other workspaces from the IdP instead of through the login portal.
14
14
15
15
## Set up — SAML
16
16
@@ -22,9 +22,11 @@ To get started, go to your workspace settings and choose the "Connections" tab u
22
22
23
23
24
24
25
-
## Prepare your IDP for the connection.
25
+
## Prepare your IdP for the connection.
26
26
27
-
To get started, you'll need to create an application in your IDP. We're in the process of rolling out officially supported apps with the most popular IDPs, but in the meantime you can create a custom SAML-based application.
27
+
Segment officially supports apps for Okta, Azure AD, and OneLogin. Next, find Segment in your IdP's app catalog, and follow the set up instructions they provide.
28
+
29
+
If you're using a different IdP, you must create a custom SAML-based application.
28
30
29
31
Your provider will ask you for a few things from Segment, which we provide in the set up flow:
30
32
@@ -34,37 +36,37 @@ Your provider will ask you for a few things from Segment, which we provide in th
34
36
35
37
- For GSuite configurations, make sure the `Start URL` field in Service Provider Details is left blank.
36
38
37
-
- Different IDPs have different names for the Audience URL. Some call it "Audience URI", some call it "Entity ID", some call it "Service Provider Entity ID." It's likely there are only two required fields without correct defaults, and they correspond to the `SSO URL` and `Audience URL` values above.
39
+
- Different IdPs have different names for the Audience URL. Some call it "Audience URI", some call it "Entity ID", some call it "Service Provider Entity ID." It's likely there are only two required fields without correct defaults, and they correspond to the `SSO URL` and `Audience URL` values above.
38
40
39
-
- In all IDPs we've worked with, the default `NameID` option is the correct one. Make sure it's using the `emailAddress` schema.
41
+
- In all IdPs we've worked with, the default `NameID` option is the correct one. Make sure it's using the `emailAddress` schema.
40
42
41
-
- In all IDPs we've worked with, the default connection encryption options are the correct ones. (Signed Response & Assertion Signature with SHA256, Unencrypted Assertions).
43
+
- In all IdPs we've worked with, the default connection encryption options are the correct ones. (Signed Response & Assertion Signature with SHA256, Unencrypted Assertions).
42
44
43
-
- Different IDPs store records of your employees differently. The only attribute mapping we require is to make sure you're sending `email` . In Okta this is at `user.email`. In Duo this is `mail`.
45
+
- Different IdPs store records of your employees differently. The only attribute mapping we require is to make sure you're sending `email` . In Okta this is at `user.email`. In Duo this is `mail`.
44
46
45
-
- Make sure you've enabled "send all attributes" (not just NameID) if applicable for your IDP.
47
+
- Make sure you've enabled "send all attributes" (not just NameID) if applicable for your IdP.
46
48
47
49
- No `RelayState` is required. This is also sometimes called `Target`.
48
50
49
-
Once you create the application in your IDP, you can come back to Segment and click "Next".
51
+
Once you create the application in your IdP, you can come back to Segment and click "Next".
50
52
51
-
## Configure Segment to Talk to Your IDP.
53
+
## Configure Segment to Talk to Your IdP.
52
54
53
-
Your IDP provides a URL and x.509 certificate. Copy them into their respective fields in Segment.
55
+
Your IdP provides a URL and x.509 certificate. Copy them into their respective fields in Segment.
54
56
55
57
56
58
57
59
Then, click "Configure Connection."
58
60
59
61
You're all set!
60
62
61
-
## Test your connection with IDP-initiated SSO.
63
+
## Test your connection with IdP-initiated SSO.
62
64
63
65
Back at the connections page, make sure your connection is enabled with the switch on the right.
64
66
65
67
66
68
67
-
You can now test using IDP-initiated SSO (by clicking login to Segment from within your IDP) is working correctly. If not, double check the IDP configuration gotchas section above.
69
+
You can now test using IdP-initiated SSO (by clicking login to Segment from within your IdP) is working correctly. If not, double check the IdP configuration gotchas section above.
68
70
69
71
## Set up — GSuite
70
72
@@ -91,17 +93,17 @@ Enter your domain and click "Add Domain." When you click verify, you're given tw
91
93
92
94
##### Do you support automatic user provisioning?
93
95
94
-
Segment supports "just in time" user permissioning; new users who authenticate using your IDP are automatically created in Segment as minimal-access (read-only) members.
96
+
Segment supports "just in time" user permissioning; new users who authenticate using your IdP are automatically created in Segment as minimal-access (read-only) members.
95
97
96
-
If the user already exists in Segment then Segment associates the IDP-identity with the existing Segment user account.
98
+
If the user already exists in Segment then Segment associates the IdP-identity with the existing Segment user account.
97
99
98
100
##### Do you support automatic user de-provisioning?
99
101
100
-
No. However, since any non-owners must log in with SSO to access your workspace, once you remove their authorization in your IDP they will no longer be able to access your workspace.
102
+
No. However, since any non-owners must log in with SSO to access your workspace, once you remove their authorization in your IdP they will no longer be able to access your workspace.
101
103
102
104
##### Will my users lose access to their other workspaces when I enable SSO?
103
105
104
-
Segment allows users to own their own workspaces. While your IDP authentication will ensure that any non-owners must have logged in with SSO to access _your workspace_, they can still log into Segment with username and password to access their own workspaces.
106
+
Segment allows users to own their own workspaces. While your IdP authentication will ensure that any non-owners must have logged in with SSO to access _your workspace_, they can still log into Segment with username and password to access their own workspaces.
105
107
106
108
##### Can I still invite people outside the organization?
0 commit comments