Configure SSO in Solstice Cloud

Log in to Solstice Cloud with an Admin account.

Use the left navbar to go to Manage > Organization > SSO.

Select the Identity Provider used by your organization, either Azure or Okta.

Selecting an Identity Provider populates the Service Provider URL on the right side of the panel.

Use the Identity Provider info on the right side of the Solstice Cloud configuration panel to create an (enterprise) application integration for Solstice Cloud in your identity provider as follows:

1. Select SAML 2.0 as the authentication method.

2. Copy and paste the Service Provider URL value into the configuration for the new application SAML integration:

   • Okta – Single sign-on URL

   • Azure – Reply URL

3. Also in the SAML settings for the new application, enter the Service Provider Entity Id:

   • Okta – Audience URI (SP Entity ID)

   • Azure – Identifier (Entity ID)

4. Using the values listed on the Solstice Cloud SSO Setup panel, define the Custom SAML Attributes for the new application:

   • Okta – Attribute Statements

   • Azure – Attributes and Claims

   Enter the Custom SAML Attributes into your IdP as follows:

   1. Create a new attribute.

   2. Enter the listed attribute Name as the new attribute name.

   3. Enter the attribute Value into the value field (called Source attribute in Azure).

      • The orgId attribute value is specific to Solstice Cloud and should always be copied and pasted.

        Microsoft Azure may require double quotes around this value.

      • The email attribute value should be mapped to the IdP value that holds SSO users' email addresses. This is usually user.mail, but can be different depending on your SSO identity provider configuration.

      Tip

      Copying and pasting all values from the Solstice Cloud SSO Setup page is strongly recommended to ensure each value is transferred exactly as listed. For example, the Custom SAML Attribute orgId must contain a capital I.

5. Finish the application integration setup to have your identity provider generate a SAML sign-on URL and signing certificate.

Now you can enter the SAML setup information generated by the new Solstice Cloud application integration in your IdP into the boxes under Solstice Cloud info on the left side of the SSO Setup panel.

1. Locate the SAML setup information associated with the Solstice Cloud application you just configured in your identity provider:

   • Okta – view the SAML setup instructions

   • Azure – in SSO dev test information

2. Enter the sign-on URL from your identity provider into the Sign On URL field:

   • Okta – Identity Provider Single Sign-On URL

   • Azure – Login URL

3. Enter the identity provider identifier or issuer on the Solstice Cloud SSO Setup panel:

   • Okta – enter the Identity Provider Issuer value into the Identity Provider Issuer field

   • Azure – enter the Azure ID Identifier value into the Azure ID Identifier field

4. Copy or download the X.509 certificate from your identity provider:

   • Okta – appears with the two values above in SAML setup instructions

   • Azure – download the certificate (.cer or .cert file) from the SAML Certificates section

   Then enter it under Verification Certificate in one of these ways:

   • Paste the copied certificate into the text entry box.

   • Click Upload Certificate and select the file you downloaded from your IdP.

When the Solstice Cloud info on the left of the setup panel is complete, click Save to store the SSO configuration for your Solstice Cloud organization.

Be sure to also assign users defined in your identity provider to the application you just configured. If a user is not assigned to the Solstice Cloud application in Okta or Azure, they can not log in with SSO to Solstice Cloud, regardless of their Solstice Cloud user configuration.

After users are assigned for SSO access to Solstice Cloud in your identity provider, they can log in to Solstice Cloud using SSO authentication. See below for more about logging in to Solstice Cloud with SSO.