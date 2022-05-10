Single Sign-On (SSO)

ALTCHA Sentinel supports Single Sign-On (SSO) integration with multiple providers using OpenID Connect (OIDC) or LDAP protocols.

Note Enterprise Feature: SSO capabilities are exclusively available with the Enterprise license plan.

Supported SSO Providers

OpenID Connect (OIDC)

The following OIDC providers are currently supported:

Configuration Requirements

All OIDC providers require:

clientId - Your application’s client identifier

- Your application’s client identifier clientSecret - Your application’s secret key

Obtain these credentials from your provider’s administration console before configuration.

Azure AD

SSO_AZURE=?clientId={clientId}&clientSecret={clientSecret}

Google Workspace

SSO_GOOGLE=?clientId={clientId}&clientSecret={clientSecret}

Keycloak

SSO_KEYCLOAK=https://your-keycloak-domain:8080/?realm={realm}&clientId={clientId}&clientSecret={clientSecret}

Okta

SSO_OKTA=https://{your-account}.okta.com/?clientId={clientId}&clientSecret={clientSecret}

LDAP/Active Directory

For LDAP-based authentication (including Active Directory):

SSO_LDAP=ldap://your-ldap-server:389?userDn=dc=your-domain,dc=com

Example configuration using public test server:

SSO_LDAP=ldap://ldap.forumsys.com:389?userDn=dc=example,dc=com&name=SSO

Supported parameters:

userDn - supports the variable USERNAME , which will be replaced by the actual username

- supports the variable , which will be replaced by the actual username usernameAttribute - default: uid

- default: userSearchBase - LDAP’s Search Base

- LDAP’s Search Base name - the name displayed on the login screen

Disabling Password Login

To enhance security, it is recommended to disable built-in password login by setting the environment variable PASSWORD_LOGIN_ENABLED=0 . This restricts authentication to configured Single Sign-On (SSO) options only.

Support

For assistance with SSO configuration or troubleshooting, please contact support.