Apty supports Single Sign-On(SSO) authentication, allowing users to access multiple applications with one set of login credentials.
Note:
When logging in to Apty Studio, use Login Using SSO option to login through SSO.
Apty supports three types of SSO Authentication:
- OAuth 2.0
- SAML 2.0
- OIDC
Enabling the SSO Authentication is a two-step process:
Step 1: Accessing the SSO Config
1. Log in to the Admin Portal.
2. Click System Settings in the left panel.
3. In the System Settings page, click the SSO Config tab.
4. Check the SSO Config box to enable SSO configuration for your system.
Step 2: Configuring the SSO Authentication
Configuring OAuth 2.0
OAuth 2.0 is an authorization protocol designed to allow users to give access to their resources hosted by a service provider, without giving away credentials. OAuth 2 offers authentication flows for mobile, desktop, and web applications.
To set up OAuth 2.0 in Apty:
1. Select OAuth 2.0 from the SSO CONFIG dropdown.
2. Provide the following details required to configure OAuth 2.0:
- HOST_NAME: Apty URI where the application is deployed. The SSO config hostname should match the present hostname. For example, https://companyname.apty.io
- APP_SCOPES: Requesting for the required details in success response from the Identity Provider. For example, openid, profile, offline_access, name, given_name, created_at, etc. For details refer to this source.
- CLIENT ID / CLIENT SECRET: Enable retrieval and revocation of OAuth 2.0 access tokens by providing app ID and app password.
- AUTH URL: String path to request an authorization code. Default to /oauth/authorize.
- TOKEN URL: String path to request an access token from Identity Provider. Default to /oauth/token.
- EMAIL_KEY: JSON key of the Authorization Success Response through which the Authorized User Email can be accessed.
3. Click Save.
Configuring SAML 2.0
SAML SSO transfers the user’s identity from one place (the identity provider) to another (the service provider). This is done through an exchange of digitally signed XML documents. For example, a user is logged into a system that acts as an identity provider. The user wants to log in to a remote application, such as a support or accounting application (the service provider). The following happens:
- The user accesses the remote application using a link on an intranet, a bookmark, or similar, and the application loads.
- The application identifies the user’s origin (by application subdomain, user IP address, or similar) and redirects the user back to the identity provider, asking for authentication. This is the authentication request.
- The user either has an existing active browser session with the identity provider or establishes one by logging into the identity provider.
- The identity provider builds the authentication response in the form of an XML document containing the user’s username or email address, signs it using an X.509 certificate, and posts this information to the service provider.
- The service provider, which already knows the identity provider and has a certificate fingerprint, retrieves the authentication response and validates it using the certificate fingerprint.
- The identity of the user is established and the user is provided with app access.
To set up SAML 2.0 in Apty:
1. Select SAML 2.0 from the SSO CONFIG dropdown.
2. Provide the following details required to configure SAML 2.0:
- HOST_NAME: It is the Apty URL where the application is deployed. For example, https://companyname.apty.io.
- ENTRY_POINT: It is the Identity Provider URI where the user will be redirected for authentication.
- EMAIL_KEY: It is the JSON key of the Authorization Success Response through which the Authorized User Email can be accessed.
3. Click Save.
Configuring OIDC
OIDC(OpenID Connect) is an open authentication protocol that works on top of the OAuth 2.0 framework, designed to protect browser-based applications, APIs, and mobile applications. OIDC is similar to OAuth where users give one application permission to access data in another application without having to provide their usernames and passwords. For example, there are currently two ways of creating a Spotify account. You can register with Spotify or you can sign on through Facebook. Facebook sends your name and email address to Spotify, which uses that information to authenticate you.
The purpose of OIDC is to provide users with one set of credentials to access multiple sites. Each time users sign on to an application or service using OIDC, they are redirected to their OP, where they authenticate and are then redirected back to the application or service.
To set up OIDC in Apty:
1. Select OIDC from the SSO CONFIG dropdown.
2. Provide the following details required to configure OIDC:
- HOST_NAME: It is the Apty URL where the application is deployed. For example, https://companyname.apty.io.
- APP_SCOPES: Requests the required details from the Identity Provider to authorize access to a user's details, like name and picture. Each scope returns a set of user attributes. For example, openid, profile, offline_access, name, given_name, created_at, etc. For details refer to this source.
- CLIENT ID / CLIENT SECRET: Enable retrieval and revocation of OIDC access tokens by providing app ID and app password.
- BASE URL: String path to request an authorization code. Default to /oidc/authorize.
- EMAIL_KEY: JSON key of the Authorization Success Response through which the Authorized User Email can be accessed.
3. Click Save.