Skip to main content

Admin SSO

Authress provides easy access to your account via your existing corporate identity provider. Besides SAML and OpenID, there are a number of first class connections available for AWS, Auth0, Okta, and Microsoft Azure AD. These options enable your engineering team members to log into Authress without needing to sign up.

Configuring your SSO loginโ€‹

To enable your engineering team to log in with your identity provider, after you specify the configuration for your provider of choice, you'll need to select a custom SSO domain. This domain can be anything you prefer, but must be globally unique. As we will see below, your team will enter this value into the SSO Login screen. The recommendation is to make this the same as your corporate domain without the TLD (.com, .io, .ai). For instance, if your email is user@my-company-domain.com, a good choice would be my-company-domain. For even easier access, you can choose an abbreviation.

Corporate custom subdomain configuration

Walk-through guides setting up SSO Providersโ€‹

Team member loginโ€‹

Step 1. Selecting SSO Loginโ€‹

Once configured, your team can login using the Continue with SSO option available on the Login screen:

Authress login screen with SSO

Then they'll enter your domain, to automatically log them in with your configured identity provider. In this example the configuration would have been set to my-company-domain. For more information about how to configure the my-company-domain as your subdomain see configuring your SSO login.

Corporate Subdomain

Step 2. Access to the Authress Management Portalโ€‹

When your team logs in the first time they won't have any permissions to the portal. They will see this message on login:

Missing permissions

tip

Important: They are seeing this message because although you have configured SSO for them, that only allows them to log in, that doesn't allow them to make changes to your Authress account. The next step is to give them access to the resources in Authress that they need.

That means before your team can use Authress via your SSO, you need to give them permission. This step is the same irrespective of using SSO or not, as all users need explicit access before they are allowed to use the portal. You grant them access the same way you grant anyone access to your Authress resources using access records. The best way grant SSO users admin access is to update your Authress account Root Access Record and add the user's SSO user ID to the list of users. If you want to give them a subset of the full admin permissions you can also create additional access records or user groups.

Granting a new user authorization access

Creating a new recordโ€‹

Instead of editing the Root access record, you can create a new record for the user. What's important to remember is that the permission โœถ (star) is not the same as Authress:โœถ. โœถ (star) only grants access to your resources, it does not grant access to the Authress Management Portal nor the Authress related resources. Give the user access to the resources: Authress:โœถ so they will be to use the portal and update all the Authress related resources--Access Records, Service Clients, Roles.

Authress all access

Authress management resourcesโ€‹

Alternatively, you can give them specific access to any of the Authress related resources:

Account Management:

  • Authress:AccountBilling - Change billing for the account
  • Authress:AccountBilling/Usage - Review billing metrics (READ) and request updates to usage and rate limits (UPDATE)
  • Authress:Configuration - Configure all aspects of the Authress management account, from integrations to SSO configuration
  • Authress:Configuration/Integrations - Configure Authress audit trail (integrations:read and integrations:update)
  • Authress:Configuration/UserAnalytics - Review and manage the user analytics captured and display in Authress, such as the Authress audit trail.

Authorization:

  • Authress:AccessRecords - Access records that allow them to change permissions
  • Authress:AccessRequests - Allow them to create access requests for more permissions and approve others access requests
  • Authress:Groups - Create and modify user groups for assigning permissions
  • Authress:ResourcePermissions - Update resources public permissions
  • Authress:Roles - Create and manage user roles, granting new access and new permissions
  • Authress:UserPermissions - Grant access to the Authress Access Analyzer and enable them to check users permissions

Authentication:

Going furtherโ€‹

Authress provides a number of more automated solutions and stronger integrations with certain identity providers. If your team has more complex requirements, please reach out directly to our development team.