Skip to main content

Single Sign On

SAML

To enable SAML as an authentication option in your app, you must add at least one SAML Provider. This document will guide you through the steps required in the Pangea User Console .

Enable the SAML authentication in Pangea

To complete configuration, you will need:

  • Your SAML Provider’s metadata URL

or

  • Login URL
  • Entity ID
  • Certificate

Optional: If you wish to sign authentication requests, you will also need:

  • Signing Request Algorithm
  • Signing Request Algorithm Digest

The following is also optional and is used in selecting a different SAML Auth request protocol:

  • Protocol Binding
  1. In the left-hand navigation of the Pangea User Console , click AuthN.

  2. Click Single Sign On.

  3. In the Providers page, click SAML.

  4. Click + Provider.

  5. Type a meaningful name for the provider in the Name field. This field will be used in the Continue with [Name] option on the user-facing sign in page.

  6. Configuring the connection details will require steps within both the Pangea User Console and your SAML Identity Provider. On the Pangea side:

    • If you have the Metadata URL from your Identity Provider, paste it into the field and click Save. Pangea will retrieve the details and complete this step for you.
    • If you selected the manual configuration, copy the Login URL, the Entity ID, and Certificate in the PEM format from your Identity Provider into the provided fields and click Save.
  7. Once you save, Pangea will generate the ID, X509 Certificate, ACS URL, and Metadata URL. Your SAML Identity Providers will need these values.

  8. [Optional] If your users will authenticate from the Identity Provider directly, enable Allow IDP-initiated Flow and click Save. We do not recommend IDP-initiated flow for day-to-day usage because it may be susceptible to Man-In-the-Middle (MITM) attacks.

  9. [Optional] Click the Sign Auth Request toggle to sign the request. Provide the Sign Request Algorithm, Sign Request Algorithm Digest, and Protocol Binding in the provided fields. By default, the Auth protocol binding will be HTTP-Redirect.

  10. Click the toggle by the provider name to activate the provider, and then click Save.

  11. You must register your Pangea app as a trusted application within your SAML Identity Provider. The steps differ by provider but are variations of adding the ACS URL (noted above) as a valid callback url. We’ve documented Okta and Auth0 for reference.

  12. Once you’ve registered your app within your Identity Provider, within the Pangea User Console , click Log in/Sign up Flow in the left hand navigation menu.

  13. Click the toggle below SAML to enable SAML authentication and then click Save.

Setting up SAML Authentication with the IdP

In order to set up SAML authentication, you must provide the IdP with the Entity ID or Callback/ACS URL or certificate, or if they take the Metadata URL, it works as a single option instead to IdP.

Configuring SAML settings with Okta

This will allow you to use SAML SSO to log in to your own apps initiated from the service provider (Pangea/Your App). As of now, we do not provide support for the IdP (Okta) initiated password.

  1. From your Okta Admin Dashboard, select Applications, and choose Create App Integration, selecting SAML 2.0 as your Sign-in method and select Next.

  2. Specify a name for your app and select Next.

  3. Use the ID and ACS URL from the previous section as your Audience URI and Single sign-on URL respectively. Select Next.

  4. Select I’m an Okta customer adding an internal app and then select This is an internal app that we have created on the next screen. Select Finish.

  5. Your app should now be visible under the Applications menu option. Select it, navigate to the Assignments tab, and select Assign to add the relevant User and Group assignments.

    note

    No one can use this configuration until you assign their User or Group.

  6. Now, when you visit the User Dashboard - available at https://your_okta_domain/app/UserHome - your new SAML App should be listed.

  7. Click on the app and you should be redirected to the application, and authenticated using your Okta context.

Configuring SAML settings with Auth0

  1. In the left-hand navigation of the Pangea User Console , click AuthN.

  2. Click Single Sign On.

  3. In the Single Sign On page, click SAML.

  4. Click + Provider.

  5. Type a unique name for the provider in the Name field.

  6. Input the following for the Metadata URL for IdP field:

    https://dev-5o0gavik3bvcqsfm.us.auth0.com/samlp/metadata/QKU3MXQMxmTtlCzYTb0PWwmX4Ua2EsR9

  7. Click the toggle by the provider name to activate the provider, and then click Save.

  8. Copy the ACS URL field.

  9. Navigate to the Auth0 application for the SSO IdP.

  10. Copy the ACS URL from the Applications >> SSO Application >> Allowed Callback URLs field.

  11. Paste the ACS URL into the AuthN >> General >> Redirect (Callback) Settings.

  12. In the Pangea User Console , click AuthN >> Log in/Sign up Flow.

  13. Click the toggle below SAML to enable SAML authentication and then click Save.

Passkeys

Passkeys is a passwordless authentication method using the device sign-on method, such as fingerprint or facial recognition, PIN, etc., instead of a password to prove identity. This removes the need for users to remember complex passwords required for strong security. When Passkeys is enabled, users are able to set up trusted devices that can sign in using paskeys instead of using the Primary/Secondary methods defined in the Log in/Sign up flow page.

The user process is as follows:

  1. A user is first required to sign in using the Primary/Secondary methods defined in the Log in/Sign up flow page.
  2. Then, the user is asked if they would like to use passkeys for the signed-in device in the future.
  3. If the user says yes, they are then required to sign in using the device sign-in method.
  4. When the device sign-in method check completes, AuthN adds the device to the trusted device list with passkeys as the sign-in method.
  5. The user is then able to sign in on that device using a passkey.

To enable passkeys, complete the following steps:

  1. Navigate to AuthN >> Single Sign On.
  2. Click Passkeys.
  3. Click the Passkeys toggle switch to enable Passkeys.
  4. Click Save.
  • Allow fallback to other authenticators - This feature is enabled by default to prevent lockouts, and removing this setting can prevent valid users from logging in to your app. This setting can be disabled if the proper measures and considerations are implemented prior to disabling.

    A use-case example of disabling this feature would be in a high security environment where users are be required to use a USB passkey dongle or other security device to provide access. In this instance, having an alternative login method is not acceptable, so an organization will use alternative methods to resolve a lockout condition. The user might have to visit an internal IT department to get issued a new passkey device.

Was this article helpful?

Contact us