How to set up Cloud SSO

There are two main ways to log into Cloud: using a login/password created in Cloud itself or using SSO. Where possible, using single sign-on (SSO) is recommended, as it has a number of benefits. SSO allows you to centrally manage accounts in a third-party system you're already using. This simplifies management tasks, eliminates the need for each user to have multiple login/password combinations and allows you to enforce your own security policies, among other things.

Cloud supports both OpenID Connect (OIDC) and SAML for setting up SSO. Any identity provider (IdP) that supports at least one of these options is a suitable candidate for use with Cloud. Azure Active Directory, Google and Okta are just a few examples of identity providers that you can log into Cloud with.

SSO can be set up quickly and easily, as explained in the below steps. Cloud SSO is marked as a preview feature for now, as further usability changes may be implemented at a later time.

1. Open SSO connection popup in Cloud

As the user setting up the SSO connection for a particular domain, you'll first need to log into Cloud using a regular Cloud-created login/password combination. Select a site and then click the Settings menu in the bottom-left corner of your screen. Select the Single Sign-On menu and then hit the Add SSO Connection button.

In the resulting popup, select the type of SSO connection you want to set up and hit Continue. Cloud supports two types of SSO connections, SAML (Security Assertion Markup Language) and OIDC (OpenID Connect). Which one you choose will depend on the identity provider you're using and the type(s) it supports. If you're using Azure AD as your IdP for instance, SAML is a suitable SSO connection type.

2. Exchange SSO connection details between Cloud and IdP

Once you've selected your preferred SSO connection type, you are asked for a descriptive name for the connection, which you can freely choose, and several pieces of information regarding the connection. This is information you'll gather from your identity provider (IdP). Conversely, you'll also need to take some of the info provided in the Cloud popup and input it in your IdP configuration.

Exactly where in your IdP you can find and input the necessary info for the SSO connection depends on the IdP you're using. Below, instructions are linked for Azure AD and Okta, but there are obviously many more identity providers you can use.

Consult the website and documentation of your specific identity provider (IdP) for up-to-date instructions on how to configure SAML or OIDC in that IdP.
For SAML, make sure the certificate you're providing in the Cloud SSO popup is a Base64-encoded CER or PEM.

Sample SSO setup instructions for Azure AD and Okta:

3. Configure attributes of SSO connection on IdP side

Cloud's underlying SSO login process requires a user to have an email address and for that email address to be verified. In the attribute setup of your SSO connection on the IdP side, make sure your IdP is configured to send both the user's email and an email_verified attribute (with a value of "true") to Cloud. Our knowledge base contains more specific attribute setup instructions for Azure AD and Okta, but the process will be similar for other identity providers.

Do not skip this step. Adding these attributes is important as they are required by Cloud's underlying SSO login process.

4. Add, verify, enable your domain

Once you've exchanged all of the necessary details between Cloud and your IdP, hit Continue in the Cloud popup. You are now asked to submit the domain(s) you want to configure the SSO connection for. Hit the Add Domain button and, in the resulting popup, submit your domain name with the format yourdomain.com.

Hit Add Domain and copy the code subsequently presented in the popup. This code you will need to add as a TXT record to your domain's DNS provider to verify the domain. If necessary, consult the website and documentation of your specific DNS provider for up-to-date instructions on how to set up the TXT record. Hit Got It in Cloud when done. You can then wait a few minutes for the DNS verification to automatically happen or manually hit the Verify Domain button.

Once your domain is verified, make sure to actually enable it for SSO by hitting the Enable domain button.

The addition of the TXT record in DNS is an added security measure in order for Cloud to verify that you own the domain. Once the domain has been verified, you can remove the TXT record from your DNS configuration again.
Enabling a domain is currently an irreversible action. Make sure you actually want to enable the domain and manage your domain's SSO connection before proceeding, as you won't be able to delete a fully enabled SSO connection. Your submitted domain configuration is applied to that domain for all Cloud sites as well, not just your own. Other users in the same domain will be able to use your submitted SSO settings when logging into any site in Cloud, but they will not be able to reconfigure the SSO connection.

5. Log in with SSO

At this point, once you've set up your SSO connection and have verified that it is working, new or existing Cloud users in your domain should be able to log into Cloud with the Log in with Single Sign-On button. They will be asked for their email address prior to starting the SSO login process.

  • Users who already had a login/password created in Cloud, prior to SSO being enabled for their domain, are by default able to log into Cloud with either their old login details or SSO. When they log in with SSO for the first time, they will be asked to link their old Cloud account with their new SSO one. As part of this process, they are asked to log in with their old account once more.
  • Users who did not already have a login/password created in Cloud will only be able to log in with SSO if SSO is configured for their domain. They will not be able to create another user account in Cloud itself.

Be aware that you can combine SSO either with Cloud-configured MFA (multi-factor authentication) or the MFA of your IdP. That way, you can add an extra layer of security to the login process. If you already have MFA set up or even enforced in your IdP, it will automatically be part of the Cloud SSO login process for your domain users.

6. Enforce SSO

Optionally, you can enforce the use of SSO by all users in your site. Go to the Configuration menu with the gear-shaped icon and then to Site settings. Here, you can enable the following switch: Force login with SSO to access this site. If a user subsequently tries to log into your site with a Cloud-created login/password, they will be denied site access.

Make sure SSO is working for all domains that have access to your site, prior to enforcing SSO in your site settings. Otherwise, some users may inadvertently be locked out. You can use the lightning-shaped test button next to your SSO connection to validate that the connection is working.
As a site owner, you are still able to log in with your Cloud-created login/password, even if you enforce SSO. This is to prevent you from losing access to your site settings in case of an issue with your domain's SSO setup.

7. Add more SSO connection managers

Optionally, you can also add more managers to your SSO connection. Having multiple managers is ideal for redundancy and security purposes, so you are not dependent on a single person to manage the SSO connection.

Related Articles

Get Started Right Away

Try Lansweeper for Free