Single Sign-On (SSO)
UDMG supports SSO for User and Account authentication, enabling centralized identity management, strengthening security, and providing a seamless login experience for administrators and partners, respectively. By allowing Users and Accounts to authenticate through an external Identity Provider (IdP), UDMG integrates easily into your organization's existing identity infrastructure.
Each UDMG Domain supports a single SSO provider for Users and one for Accounts. Upon SSO login, UDMG validates the IdP assertion/token, verifies authorization, issues its own session tokens, and Just-in-Time (JIT) provisions the User or Account, if needed.
Before You Begin
Supported Protocols and IdPs
UDMG supports two widely adopted authentication protocols for SSO. These are open standards for exchanging authentication and authorization data between an IdP and Service Providers (SPs) like UDMG:
- SAML (Security Assertion Markup Language) 2.0
- OIDC (OpenID Connect)/OAuth 2.0
UDMG supports any IdP that conforms to the SAML or OIDC/OAuth 2.0 specifications. The table below lists a selection of commonly used IdPs that have been tested and formally validated. If your IdP is not included, it is still likely to work with UDMG, as unlisted providers may simply not have undergone our complete validation process.
| Identity Provider | SAML 2.0 | OIDC / OAuth 2.0 |
|---|---|---|
| Okta | ||
| Microsoft Entra ID (Azure AD) | ||
| Google Workspace | ||
| PingFederate | ||
| Auth0 |
Before configuring SSO in UDMG (the Service Provider), ensure your IdP is fully configured and operational. Download your IdP metadata file or directly obtain the necessary configuration details from your issuer. See required Field Descriptions
Provisioning and Identity Management
UDMG supports automated Just-in-Time (JIT) provisioning for Users and Accounts authenticated via SSO. When a User successfully signs in to the UDMG Admin UI or an Account successfully signs in to the WTC through a configured SSO provider for the very first time, their username is automatically created within UDMG—no manual setup is required.
On First Login
When a User or Account first signs in with SSO, UDMG processes the identity assertion or token returned by the IdP:
- If the Username Attribute Name is present and resolves to a unique username, UDMG creates a new User or Account and populates the mapped attributes (e.g., name, email, role).
- If the Username Attribute Name is missing, or if a User or Account with the same username exists but has a different Login Method (e.g., Standard or LDAP), the login is denied.
On Subsequent Logins
When an SSO-provisioned User or Account logs in again, UDMG re-evaluates authorization and:
- Updates mapped attributes (e.g., name, email, role) if they differ from the IdP response.
- Refreshes the Updated timestamp and Version number whenever any User or Account data is modified.
The Username is immutable to preserve identity consistency. The Login Method (equal to SAML or OIDC) and the association with the originating SSO Provider are also not changeable.
On User or SSO Removal/Change
If a User or Account is removed from the IdP:
- The User or Account remains visible in the list but will no longer be able to log in.
- If the User or Account authenticates again after an SSO provider has been replaced, they may be re-provisioned as a new User or Account depending on whether the new IdP emits a different value for the configured Username Attribute Name.
Group Attribute, Roles, and Authorization - Users
After a User is authenticated through SSO, UDMG determines their Role based on the value returned by the IdP. This attribute contains one or more values—such as group names or role identifiers, which are compared against the Group Attribute Name defined in the SSO configuration.
For each UDMG role, you can configure the exact IdP value (group or claim) that grants that role. Leaving a role mapping blank disables assignment for that role. If all role mappings are blank, UDMG applies the Missing or Unrecognized Role Policy instead:
- Deny login: The authentication attempt is rejected.
- Assign to default role: The User is allowed to log in with the specified Default Role (typically, Read-only).
If a User's IdP attributes contain multiple matching values, UDMG assigns the most privileged role from the following list (in descending order of privilege):
- Domain Administrator
- Pipeline Management
- Operator
- Read-only
If no values match, or if the Group Attribute Name is missing entirely, UDMG applies the configured Missing or Unrecognized Role Policy.
For SAML configurations, when group attributes are returned as a single string, values are split using the configured Group Delimiter.
Role assignments are re-evaluated on every login. If a User's group membership or mapped role changes in the IdP, UDMG updates the User's role accordingly.
Group Attribute, Roles, and Authorization - Accounts
After an Account is authenticated through SSO, UDMG determines their Account Group association based on the value returned by the IdP. This attribute contains one or more values—such as group names or role identifiers, which are compared against the Group Attribute Name defined in the SSO configuration.
For each UDMG Account Group, you can configure the exact IdP value (group or claim) that grants that Account Group association. If all group mappings are blank, UDMG applies the Missing or Unrecognized Role Policy of 'Deny login' and the authentication attempt is rejected.
If an Accounts's IdP attributes contain multiple matching values, UDMG associates all of the Account Groups.
If no values match, or if the Group Attribute Name is missing entirely, UDMG applies the Missing or Unrecognized Role Policy of 'Deny login'
For SAML configurations, when group attributes are returned as a single string, values are split using the configured Group Delimiter.
Account Group assignments are re-evaluated on every login. If an Account's group membership changes in the IdP, UDMG updates the Account's group accordingly.
Login Experience
Once an SSO provider has been configured for a Domain, a button for that provider appears on the Domain's login page beneath the standard Username and Password fields.
When a User or Account clicks the SSO button, UDMG redirects them to the configured IdP to authenticate. After the IdP completes authentication, it returns the User or Account to UDMG, redirecting them to their requested page or the default landing page.
Also, Users and Accounts can automatically log into their respective UDMG UIs by navigating to a direct SSO URL. For Users, Simply append /auth/{domainId}/sso to your UDMG Base URL (hostname). This will redirect users to their IdP login screen, and upon successful authentication, they'll be automatically directed to the UDMG Admin UI landing page.
If the IdP is configured for IdP-initiated login, it can send a signed authentication response directly to the Full Redirect URI—the Assertion Consumer Service (ACS) endpoint for SAML, or the Full Redirect URI for OIDC.
Session Behavior
After a successful SSO login, UDMG establishes and manages its own application session; it does not reuse IdP tokens. When a User or Account signs out, only the the UDMG session ends. Single Logout (SLO) across the IdP or other applications is not supported.
If an SSO provider is deleted, new logins are blocked but existing sessions remain active until they expire. When a session expires, Users and Accounts are returned to the login page; if their IdP session is still valid, they may be signed back in without re-entering credentials, otherwise the IdP prompts for login.
Configuring an SSO Provider
SSO is configured at the Domain level, meaning it can only be used to authenticate Users and Accounts within that specific Domain. If you want to use the same SSO provider across multiple Domains, it must be configured separately in each Domain.
To configure an SSO provider for Users, follow these steps:
- From the Sidebar, click General > Settings.
- Click Single Sign-On (SSO) - Users or Single Sign-On (SSO) - Accounts .
- Fill out the fields for the new SSO settings using the Field Descriptions table, which includes separate tabs for OIDC / OAuth 2.0 and SAML.
- Click Save.
Field Descriptions
- SAML
- OIDC / OAuth 2.0
| Name | Description | Specifications | Required |
|---|---|---|---|
| Name | The name of the SSO configuration. |
| Yes |
| Description | The description of the SSO configuration. | No | |
| Protocol | Select SAML. |
| Yes |
| Identity Provider (IdP) | The selected IdP's name and icon are displayed on the login page under the single sign-on section. If your IdP is not listed below, then it is displayed as 'Other.' Options:
| Yes | |
| UDMG Base URL | The base URL of your UDMG instance, prefixed by HTTPS. This should be the hostname where your UDMG application is accessible. | Must be a valid HTTPS URL. | Yes |
| Full Redirect URI | The complete redirect URI that is automatically generated and should be configured in your IdP as the callback URL for SAML authentication. | Must be a valid HTTPS URL. | Yes |
| IdP SSO URL | The IdP's SSO endpoint URL that Users or Accounts are redirected to for login. | Must be a valid HTTPS URL. | Yes |
| Service Provider (SP) Entity ID (Issuer) | A unique identifier for your Service Provider (entity issuer) that the IdP recognizes. | Must be a valid HTTPS URL. | Yes |
| Audience URI (Expected Value) | The URI that specifies which Service Provider the SAML assertion is intended for. Only change the field if your IdP sends a different audience value than your Security Provider Entity ID. | Must be a valid HTTPS URL. | Yes |
| Credentials Name (Client ID & Secret) | The Credential that references the CA Certificate that is used to verify the signature on the SAML response from the IdP. | Must reference an already created X509 Certificate. | Yes |
| Username Attribute Name | The name of the attribute to use as the unique user identifier. If not specified, the default NameID element will be used. This value should be globally unique and not change over time (e.g., email, uid, userPrincipalName). | Yes | |
| Email Attribute Name | The name of the attribute that contains the User's email address. | Yes | |
| Name Attribute Name | The name of the attribute that contains the User's name. | Yes | |
| Last Name Attribute Name | The name of the attribute that contains the User's last name | Yes | |
| Group Attribute Name | The name of the attribute from which the role will be derived. This could be an existing attribute or a custom one, such as mftRole. | Yes | |
| Delimiter (for Single String Attributes) | If the Group Attribute Name is returned as a single string, specify the delimiter (e.g., ; or ,). | Yes | |
| Role/Group Attribute to Role/Account Group Mapping | Map IdP group/role values to UDMG roles or UDMG Account Groups. Users: For each UDMG role, enter the exact value from your IdP that should grant that role. Accounts: For each IdP Role/Group, select the correct UDMG Account Group and click Plus. | info For more information on this field configuration, refer to Group Attribute, Roles, and Authorization. | No |
| Missing or Unrecognized Role Policy | Specifies whether to deny or downgrade the role/account group if the group attribute was not found or the role/account group could not be identified or mapped. Options:
| Hidden for Accounts and set to 'Deny login' | Yes |
| Default Role | Specifies the default role to assign if the role attribute is missing or does not contain a recognized role. Options:
| Default value: Read-only. Does not apply to Accounts. | Yes |
| Name | Description | Specifications | Required |
|---|---|---|---|
| Name | The name of the SSO configuration. |
| Yes |
| Description | The description of the SSO configuration. | No | |
| Protocol | Select OIDC / OAuth 2.0. |
| Yes |
| Identity Provider (IdP) | The selected IdP's name and icon are displayed on the login page under the single sign-on section. If your IdP is not listed below, then it is displayed as 'Other.' Options:
| Yes | |
| UDMG Base URL | The base URL of your UDMG instance, prefixed by HTTPS. This should be the hostname where your UDMG application is accessible. | Must be a valid HTTPS URL. | Yes |
| Full Redirect URI | The complete redirect URI that is automatically generated and should be configured in your IdP as the callback URL for OIDC authentication. | Must be a valid HTTPS URL. | Yes |
| Issuer URL | The base URL of the OpenID Provider that is used to discover other OIDC endpoints. | Must be a valid HTTPS URL. | Yes |
| Credentials Name (Client ID & Secret) | The Credential that contains the Client ID (unique identifier assigned to your application Service Provider by the IdP) and authentication password for OIDC/OAuth 2.0. | Must reference an already created Key Pair. | Yes |
| Authorization Endpoint | The endpoint for initiating the authentication flow. | Must be a valid HTTPS URL. | Yes |
| User Info Endpoint URL | The URL of the OIDC endpoint used to retrieve additional user or account profile information. | Yes | |
| Token Endpoint | The endpoint for exchanging the authorization code for tokens. | Must be a valid HTTPS URL. | Yes |
| Scopes | The permissions or identity data the Service Provider Client is requesting, such as "openid email profile" or 'openid'. | Must be a valid, space-separated string. | Yes |
| Username Attribute Name | The name of the attribute to use as the unique user identifier. If not specified, the default NameID element will be used. This value should be globally unique and not change over time (e.g., email, uid, userPrincipalName). | Yes | |
| Email Attribute Name | The name of the attribute that contains the User's email address. | Yes | |
| Name Attribute Name | The name of the attribute that contains the User's name. | Yes | |
| Last Name Attribute Name | The name of the attribute that contains the User's last name | Yes | |
| Group Attribute Name | The name of the attribute from which the role will be derived. This could be an existing attribute or a custom one, such as mftRole. | Yes | |
| Role/Group Attribute to Role/Account Group Mapping | Map IdP group/role values to UDMG roles or UDMG Account Groups. Users: For each UDMG role, enter the exact value from your IdP that should grant that role. Accounts: For each IdP Role/Group, select the correct UDMG Account Group and click Plus. | info For more information on this field configuration, refer to Group Attribute, Roles, and Authorization. | No |
| Missing or Unrecognized Role Policy | Specifies whether to deny or downgrade the role/account group if the group attribute was not found or the role/account group could not be identified or mapped. Options:
| Hidden for Accounts and set to 'Deny login' | Yes |
| Default Role | Specifies the default role to assign if the role attribute is missing or does not contain a recognized role. Options:
| Default value: Read-only. Does not apply to Accounts. | Yes |
Managing an SSO Provider
Viewing SSO Provider Details
To view the details of an SSO provider, follow these steps:
- From the Sidebar, click General > Settings.
- Click Single Sign-On (SSO)- Users or Single Sign-On (SSO)- Accounts card you want to view.
SSO provider details include all parameters given in the Field Descriptions table above, plus the following read-only metadata:
SSO Provider Metadata
| Name | Description |
|---|---|
| UUID | Universally Unique Identifier of this SSO provider. |
| Version | Version number of the latest configuration of the SSO provider. |
| Created | Date and time this SSO provider was created. |
| Updated | Date and time this SSO provider was last updated. |
Editing SSO Provider Details
To edit the details of an SSO provider, follow these steps:
- From the Sidebar, click General > Settings.
- Click Single Sign-On (SSO)- Users or Single Sign-On (SSO)- Accounts card you want to view.
- Click the Edit button above the SSO provider details.
SSO-provisioned Users and Accounts cannot be edited at all.
Deleting SSO-Provisioned Users and Accounts
To delete an SSO-provisioned User, follow these steps:
- From the Sidebar, click General > Users.
- Click the Username of the User you want to delete.
- Click the Delete button above the User details.
- You will be asked to confirm the deletion. Click Delete.
To delete an SSO-provisioned Accounts, follow these steps:
- From the Sidebar, click Configuration > Accounts.
- Click the Name of the Account you want to delete.
- Click the Delete button above the Account details.
- You will be asked to confirm the deletion. Click Delete.
Deleting an SSO-provisioned User or Account removes them from the list, but they will reappear if they authenticate again. To permanently prevent access, first remove the User or Account from your IdP, and optionally delete them from the Users list.
Deleting an SSO Provider
Before deleting an SSO provider, ensure that at least one Admin User with Standard authentication remains available. Otherwise, you may lose administrative access to UDMG.
Deleting an SSO provider configuration is straightforward; however, you must plan what to do with any orphaned Users and Accounts that have already been provisioned via the provider. Those options include:
| Option | When to Choose | Result |
|---|---|---|
| Delete the Users/Accounts | No plans to migrate to a new provider, or don't want to preserve User records. | Users/Accounts are removed from UDMG; if they authenticate later via an active SSO provider, they will be re-provisioned. |
| Retain as orphaned | You need the records for auditing but do not want Users/Accounts to log in. | Users/Accounts remain visible but cannot authenticate; even with a new provider configured, their usernames remain tied to the deprecated provider. |
To delete an SSO provider, follow these steps:
- From the Sidebar, click General > Settings.
- Click Single Sign-On (SSO)- Users or Single Sign-On (SSO)- Accounts card you want to view.
- Click the Delete button above the SSO provider details.
- You will be asked to confirm the deletion. Click Delete.
Deleting an SSO provider blocks new login attempts for associated Users and Accounts. Existing sessions remain active until they expire or the User or Account logs out.