# Single Sign-On / RBAC {% hint style="info" %} SSO setup requires custom integration. Contact **** for help. {% endhint %} Single Sign-on (SSO) streamlines the authentication process for your team and enhances security. Sedai supports two common IdP configurations: [OIDC](#oidc-integration) (OpenID Connect) and [SAML](#saml-integration) (Security Assertion Markup Language). We recommend using OIDC if both options are available. ### IdP Requirements and Sedai Roles Your IdP must pass role information during the login process. In addition, basic user information (such as full name and email address), should be transmitted for user identification. Sedai provides role-based and group-based access. Role-based access provides access to all resources within a workspace, while group-based access provides access to select [groups](https://docs.sedai.io/get-started/platform/settings/groups) of resources. Role-based Admin can manage roles from Admin > Access Control. #### Role-based Access Role-based access provides access to all resources in the workspace. Each team member in a workspace must be assigned one (and only one) of the following:
Role-based AccessPermissions
AdminCan access all resources, features, integrations, and settings
UserCan execute recommendations for all resources but cannot manage any settings
ViewerCan explore recommendations and activity for resources but cannot execute any recommendations
NoneCannot view any resources in your workspace, unless group access is defined
#### Group-based Access Group-based access provides access to select [groups](https://docs.sedai.io/get-started/platform/settings/groups) of resources in a workspace. Each team member can optionally be assigned any combination of the following roles:
Group-based AccessPermissions
AdminCan manage settings and execute recommendations for resources in select groups
UserCan execute recommendations for resources in select groups
ViewerCan explore recommendations and activity for resources in select groups but cannot execute any recommendations
{% hint style="warning" %} A team member cannot be assigned group-based access with lower permissions than their role-based role. For example, a team member cannot be assigned a Role-based Admin but a Group-based User. {% endhint %} *** ## OIDC Integration The following information is required from your OIDC Identity Provider:
RequirementPurpose
Discover URIAllows Sedai to dynamically discover configuration details of your IdP (typically formatted as https://your-oidc-idp.com/.well-known/openid-configuration)
Client ID & SecretEstablishes secure connection between Sedai and your OIDC IdP
Roles MappingMaps role names used within your OIDC IdP to Sedai's roles
Attribute for Role NameIndicates specific attribute in your OIDC IdP that holds the role information during the authentication handshake. This attribute should contain the role details corresponding to Sedai's roles.
After our team receives this information, we will provide **Callback URLs** for you to update your OIDC IdP. Sedai uses the URLs to send authentication callbacks. These should be configured to handle responses from the IdP after user authentication. *** ## SAML Integration The following information is required from your SAML provider:
RequirementPurpose
SAML Identity Provider Metadata XMLInitiates the SAML integration with Sedai by describing your SAML Identity Provider (see example)
Roles MappingMaps role names used within your SAML Identity Provider to Sedai's roles (SedaiViewer, SedaiUser, SedaiAdmin)
Attribute for Role NameIndicates the specific attribute in your SAML Identity Provider that holds role information during the authentication handshake. This attribute should contain the role details corresponding to Sedai's roles.
After Sedai receives this information, a team members will provide **Sedai's Service Provider Metadata** for you to update your SAML IdP. {% hint style="info" %} Some SAML providers may allow the use of Service Provider certificate data directly, which is available within the metadata. {% endhint %} #### Okta SAML 2.0 Configuration When adding applications in Okta for SAML, you will need to provide the following details to your Sedai support contact:
RequirementExample
Application ACS URLhttps://<your-domain>.sedai.app/api/saml2/sp?client_name=Sedai-<your-domain>-SSO
Application SAML AudienceSedai-<your-domain>-SSO
SSO URLhttps://<your-domain>.sedai.app/overview
Name ID Format

urn:oasis:names:tc:SAML:2.0:nameid-format:transient

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

How to create managed application in AWS IAM Identity Center 1. From the AWS IAM Identity Center, click on **Applications** -> **Add Application** and select **I have an application I want to set up**. Choose **SAML 2.0** Application Type. 2. Enter Display Name and Description (such as "Sedai" and "Autonomous Cloud Management System"). 3. Copy the SAML metadata file URL from the IAM Identity Center metadata section (this URL will be required for loading the IdP Metadata in Sedai; please copy and send to the Sedai team). 4. Under Application Properties, populate the Application Start URL as `https://.sedai.app`. Leave the rest of the fields in the default state. 5. Populate the Application Metadata details: * **Application ACS URL**: `https://.sedai.app/api/saml2/sp?client_name=Sedai-` * **Application SAML Audience**: `Sedai-` 6. Click **Submit**. 7. Once the application is created, go to the application home page and click **Action** -> **Edit Attribute Mapping**. 8. Populate the attributes as shown in the screenshot below: 9. Under the Assigned Users and Groups, add the three groups created in the previous step for this application: SedaiAdmin, SedaiUser, SedaiViewer. 10. Send your Sedai support contact the **SAML metadata file URL** from the IAM Identity Center metadata section and the group IDs for the corresponding Sedai roles.