Enabling SSO for an organization can be configured via the Spotinst Console
The following article will cover the basic properties of setting an SSO for the Organization.
Supported Identity Providers
Okta SAML, OneLogin SAML, ADFS SAML, Bitium SAML as well as additional Custom SAML.
Please note - in order to configure your SSO tool properly, use the articles in the following link: Spotinst - SSO configuration
Managing SAML-based single sign-on via spotinst console
In order to manage SSO configurations follow these steps:
- Login to your Spotinst account as an administrator: spotinst console
- Click on the user-icon and enter "Settings".
- Click on the “SECURITY" tab at the top and then select “Identity Providers”
SSO settings page
Relay state - The Organization ID - Used as the Relay State configuration for the identity provider (Used in Idp Initiated SSO)
Provider type - Currently the only supported standard is SAML (Security Assertion Markup Language)
Metadata - Data provided by the identity provider in order to sync our settings properly.
- For further information, check the following link - Spotinst - SSO configuration and choose the relevant article per IDP vendor.
User Default Organization Role - The role which will be given to users that logged in via the Identity Provider (Viewer/Editor)
For further information regarding user roles, check the following link: Spotinst - user roles
User Allowed Accounts - The accounts which the user will have access to (default account/all account)
For further information regarding accounts, check the following link: Organizations and accounts
Organization and Role selection
When you want to determine different user roles per account, we allow you choosing the organization and role he wants to sign in with when signing in with SSO.
Configure the IDP to create a SAML response with the parameter "OrgAndRole".
This configuration will generate another screen which will let the user choose an organization and role:
The Organization and Roll combination should be configured for each user, using the following IDP format:
|<Attribute Name="OrgAndRole" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic>
Advanced - Overriding Role and Organization attributes via SAML Attribute
Saml Response Called "OrgAndRole" (ignore case).The parameter allows setting the organization id dynamically on each request and not as a RelayState once. Parameter Value is in the Format: Spotinst-<orgid>-<role>.
This attribute will allow login into different organizations with the same user and the same IDP app, while setting the organization id dynamically.
If OrgAndRole exists we override the RelayState and the Role (if Role provided as a different attribute).
OrgAndRole attribute and attribute value are case sensitive.
If a user logged in through SSO with a Role attribute, the role of that user will be set accordingly,
which means that these settings will affect both existing users and new users.
I.e - an xml attribute:
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Role"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ADMIN </saml:AttributeValue> </saml:Attribute>
Supported Role attributes:
ADMIN - Equivalent to Account Editor
VIEWER - Account viewer
NO_ACCESS - No access to Spotinst console
Note that in this case, we are providing an Account Admin role- meaning an account Editor, This is not an Organization Admin.