SSO
SSO enables organizations to use corporate identity providers to authenticate their users. Currently supported SSO providers include:
- Azure AD
- SAML
To request support for additional SSO providers, please contact Seek support.
Azure Active Directory
Register Seek with Azure AD
Register an application in your Azure tenant using these instructions.
Seek's callback url to use for the Azure app's redirect URI is https://seek-prd.us.auth0.com/login/callback.
Configure Azure App Permissions
Configure permissions for the Azure app - see Microsoft's quickstart here.
- Use Delegated Permissions
- Seek requires the following permissions:
Group.Read.AllGroupMember.Read.AllUser.ReadDirectory.Read.AllDirectory.AccessAsUser.Allemailoffline_accessopenidprofile
Communicate Setup to Seek
Provide the following information back to your Seek contact:
Azure Details
- Microsoft Azure AD Domain
- Azure App Client ID
- Azure App Secret
IDP Group Mapping
- Provide the group names that should be mapped to Seek roles: Admin, Engineer, Consumer
- Multiple groups can map to the same role
Using IDP Groups for Permissions
If you have SSO enabled, you will be able to add groups from your IDP directly to a team in Insight Cloud. This will allow you to manage permissions in Insight Cloud based on your existing active directory group structure.
- Create a Team in Insight Cloud
- Add the Azure AD group to the Team
- Assign permissions to the Team
- When users who are a member of that AD group log in, they will have access to the permissions assigned to the Team
Read more about manging Teams in Insight Cloud here.
SAML
Open a service request with Seek informing us of your intention to use SAML SSO. Seek will provide you back with the necessary information to configure your SAML identity provider.
Register Insight Cloud with IdP
These are the settings used to configure a SAML identity provider (IdP). The below values are illustrative and should be replaced with the actual values provided by Seek.
| Field | Value |
|---|---|
| Assertion Consumer Service URL (post-back url) | https://seek-prd.us.auth0.com/login/callback?connection={yourConnectionName} |
| Entity ID | urn:auth0:seek-prd:{yourConnectionName} |
| Sign Request Algorithm | RSA-SHA256 |
| Single Logout Service URL | https://seek-prd.us.auth0.com/logout |
Communicate IdP Settings to Seek
You'll need to collect the following information from your SAML identity provider and provide it to Seek:
| Field | Description |
|---|---|
| Sign In URL | The URL where SAML authentication requests are sent. This is also called the single sign-on (SSO) endpoint. |
| Sign Out URL | The URL where SAML logout requests are sent. This is also called the single logout (SLO) endpoint. |
| X509 Signing Certificate | The public-key certificate required by the SP to validate the signature of the authentication assertions that have been digitally signed by the IdP. Seek accepts the .pem and .cer formats. |
SAML Attributes Mapping
SAML authentication tokens contain user attributes (claims) that are mapped to user attributes in Seek. The following table shows the default mappings used by Seek. If your SAML provider uses different attribute names, please communicate this back to us.
| Insight Cloud User Attribute | SAML Attribute(s) | Required |
|---|---|---|
| idp_id | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/upnhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Yes |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
Yes | |
| first_name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennamehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Yes |
| last_name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
Yes |