Single Sign-On / RBAC
Learn how to integrate your Identity Provider (IdP) using OIDC (OpenID Connect) or SAML (Security Assertion Markup Language).
Last updated
Was this helpful?
Learn how to integrate your Identity Provider (IdP) using OIDC (OpenID Connect) or SAML (Security Assertion Markup Language).
Last updated
Was this helpful?
Single Sign-on (SSO) streamlines the authentication process for your team and enhances security. Sedai supports two common IdP configurations: (OpenID Connect) and (Security Assertion Markup Language). We recommend using OIDC if both options are available.
Your IdP must pass role information during the login process. In addition, basic user information (such as full name and email address), should be transmitted for user identification.
Sedai provides role-based and group-based access. Role-based access provides access to all resources within a workspace, while group-based access provides access to select of resources. Role-based Admin can manage roles from Admin > Access Control.
Role-based access provides access to all resources in the workspace. Each team member in a workspace must be assigned one (and only one) of the following:
Admin
Can access all resources, features, integrations, and settings
User
Can execute recommendations for all resources but cannot manage any settings
Viewer
Can explore recommendations and activity for resources but cannot execute any recommendations
None
Cannot view any resources in your workspace, unless group access is defined
Group-based access provides access to select of resources in a workspace. Each team member can optionally be assigned any combination of the following roles:
Admin
Can manage settings and execute recommendations for resources in select groups
User
Can execute recommendations for resources in select groups
Viewer
Can explore recommendations and activity for resources in select groups but cannot execute any recommendations
A team member cannot be assigned group-based access with lower permissions than their role-based role. For example, a team member cannot be assigned a Role-based Admin but a Group-based User.
The following information is required from your OIDC Identity Provider:
Discover URI
Allows Sedai to dynamically discover configuration details of your IdP (typically formatted as https://your-oidc-idp.com/.well-known/openid-configuration
)
Client ID & Secret
Establishes secure connection between Sedai and your OIDC IdP
Roles Mapping
Attribute for Role Name
After our team receives this information, we will provide Callback URLs for you to update your OIDC IdP. Sedai uses the URLs to send authentication callbacks. These should be configured to handle responses from the IdP after user authentication.
The following information is required from your SAML provider:
SAML Identity Provider Metadata XML
Roles Mapping
Attribute for Role Name
After Sedai receives this information, a team members will provide Sedai's Service Provider Metadata for you to update your SAML IdP.
When adding applications in Okta for SAML, you will need to provide the following details to your Sedai support contact:
Application ACS URL
https://<your-domain>.sedai.app/api/saml2/sp?client_name=Sedai-<your-domain>-SSO
Application SAML Audience
Sedai-<your-domain>-SSO
SSO URL
https://<your-domain>.sedai.app/overview
Name ID Format
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Maps role names used within your OIDC IdP to Sedai's
Indicates specific attribute in your OIDC IdP that holds the role information during the authentication handshake. This attribute should contain the role details corresponding to Sedai's .
Initiates the SAML integration with Sedai by describing your SAML Identity Provider (see )
Maps role names used within your SAML Identity Provider to Sedai's (SedaiViewer, SedaiUser, SedaiAdmin)
Indicates the specific attribute in your SAML Identity Provider that holds role information during the authentication handshake. This attribute should contain the role details corresponding to Sedai's .