This article covers the steps to set up single sign-on (SSO) with Cloud Academy or QA. This feature is available to enterprise accounts. You must be an admin to access the screen in the application where you perform this procedure. You also need access to configuration information from your identity provider (IdP).

Note: This article contains different URLs to use in your configuration depending on whether you are using Cloud Academy or QA. When you see both options, choose the URL that corresponds to the kind of account you use.

This article contains the following sections:

• Single Sign-on
  • Logging in to the Web Platform
  • Logging in to the Mobile App
• How to Set Up Single Sign-on
  • Create a SAML Application on your Identity Provider
  • Complete the Integrations/SSO screen in the Cloud Academy or QA Platform
  • Configure Your IdP Manually or Using the XML File 
• How to Migrate Users to SSO

Single Sign-on

When you set up SSO, users at your company can use their regular network credentials to sign in to the web platform and mobile app. You configure SSO with whatever identity provider your company uses, such as Okta, Centrify, or Azure AD.

Single sign-on uses SAML 2 and currently supports only SP-initiated workflows.

Logging in to the Web Platform

When any users access the login screen, they have options:

• Create an account
• Log in with their Google, Facebook, or Apple account
• Log in with an email address and password

Before you set up SSO, your early users probably use the email address and password to log in. After you set up SSO, your users should still enter their corporate email address in the Email field. The system will detect that the email domain belongs to an account with SSO enabled and change the Login button to a Login with SSO button. 

Alternately, your users can go directly to your company's custom URL (also called your company's "vanity URL") to log in to the application on the web platform. The URL looks something like:

​https://{company}.sso.cloudacademy.com/

Or

https://{company}.sso.app.qa.com/

Where the token {company} is a value that you choose. For example, the URL might look like the following if the value you choose for {company} is acme: ​

https://acme.sso.cloudacademy.com/

The {company} value you choose must be unique across all accounts to ensure you have a unique custom URL. See the Checking the Subdomain and Testing the Integration procedure later in this document for step-by-step instructions.

Tip: Choose a simple value for your unique identifier to make your login URL easier to remember and type.

Logging in to the Mobile App

When users log in to the mobile app, the Login button change to a Login with SSO button if the app recognizes the email domain as belonging to an SSO account, as you see in the following image. The user can still click Login with Email to go back to the regular login screen.

From here, the user logs in to the app with their IdP network credentials.

How to Set Up Single Sign-on

The process to set up SSO has three parts:

1. Create a SAML application on your identity provider.
2. Complete the Integrations/SSO screen in the Cloud Academy or QA platform.
3. Download the XML file and let your IdP autoconfigure according to that information or manually configure the information from the platform in your IdP.

The following sections walk through each of these three parts.

Create a SAML Application on your Identity Provider

You create the SSO SAML application outside of Cloud Academy or QA. Do that step first before continuing to configure the integration. The steps vary depending on which identity provider you use.

Complete the Integrations/SSO screen in the Cloud Academy or QA Platform

When you navigate to the Integrations/SSO screen, you see a message with information to start configuring SSO. 

Click Start Configuring and the configurations screen appears The following graphic shows an example of the General Settings section.

Complete these fields with the information from the SAML application created by your identity provider.

• SSO URL (Location): The endpoint for handling SAML transactions. You get this value from your IdP.
• Certificate: An X.509 certificate helps identify secure connections. You get this value from your IdP.
• Email Domains: Enter all the domains your company uses for user emails, such as example.com or us.example.com. The system uses these values to correctly direct SSO traffic once your users enter their email address.

The following graphic shows an example of the SAML attributes mapping, Security Settings, and Extra Settings section of the screen.

Complete these fields with the information the application created by your identity provider.

SAML Attributes Mapping

• Permanent User ID: Enter the name of the field that holds the ID your identity provider uses to uniquely identify your users. Tip: If possible, avoid using email address as this ID so that users can still log in to their account even if their email address with your company changes.
• First Name: Enter the IdP field that holds the user's first name. If you are integrating with Microsoft Active Directory, this value is a URI.
• Last Name: Enter the IdP field that holds the user's last name. If you are integrating with Microsoft Active Directory, this value is a URI.
• E-mail: Enter the IdP field that holds the user's email address. For example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. If you are integrating with Microsoft Active Directory, this value is a URI.

Security Settings

• Authentication Requests Signed? Indicates whether your configuration requires authentication requests to be signed for security. Select this check box to set this value to True.

Extra Settings

• • Logout URL: (Optional) The URL of the landing page where users go after logging out. This is an optional field.

Click Save and Test. A window like the following appears (values have been hidden in this example):

Configure Your IdP Manually or Using the XML File 

Use the information on the Set up your Service Provider information screen to populate your service provider with the relevant information. When you're done, come back to this screen and click the button to indicate you're ready to start testing.

A test screen such as the following appears:

Click Test SSO Connection to start the test.

If the configuration has problems, an error screen appears with information to help you identify the issues.

Update your configuration and try the test again.

If the configuration is set up correctly, a success screen appears.

Once the test is successful, go back to the platform and click Test was successful to apply your configurations.

Your users will not be able to log in with SSO until you click Test was successful. 

How to Migrate Users to SSO

Some or all of your users may have begun using the application before you set up SSO. These users are accustomed to signing in to the web platform from https://cloudacademy.com/login/ or https://myqa.qa.com/account/login and the mobile app from the initial splash screen.

When you set up SSO, these users can continue using their standard login procedure until they are ready to change to the custom process. After they enter their email address in the field and see the button change to Login with SSO, they can click Login with Email to display the usual Password and CAPTCHA fields.

Once a user logs in to the platform using your custom URL or to the mobile app using the company SSO login screen for the first time, the application migrates the account to require using the SSO going forward.