Skip to main content
supports single sign-on (SSO) via either the SAML 2.0 or OpenID authentication protocols. This feature enables identity providers such as Microsoft Entra ID (formerly Azure Active Directory) or Okta, which support these protocols, to serve as SSO platforms for .

Overview

Enabling SSO requires that you configure a group of settings on the Security tab of the Settings page. When you configure the SSO settings, users that are created within should be given a federation Identifier (Id). This federation Id associates a username with an identity provider entity. When the user attempts to log in to the application, it is redirected to the SSO platform where the credentials for the appropriate identity must be entered. If Just-in-Time (JIT) user provisioning is enabled (also from the Security tab), a new user account is automatically created in at the time of login, based on attributes that are received from the identity provider (for example, the user’s name and email address). This identity and access management (IAM) process streamlines onboarding by eliminating the need for manual account creation. For more details, see Just-in-Time (JIT) User Provisioning. After SSO is configured and users have a federation Id value to associate them with an identity provider, any additional advanced configuration for SSO user management should be performed directly in the SSO platform, as explained in the following sections.
  • Once SSO is enabled, existing users who are not members of the Admin role cannot log in unless they have a federation Id (described below) on their account. Admin users can still log in without SSO in case the SSO settings need to be reconfigured.
  • Currently, supports only individual users, not groups of users. If an SSO platform provides access for a group of users, each individual user within that group must be added as a user on the Settings page in order to log in. Each user should reference the federation Id from the identity provider.
The following sections explain how to set up SSO configuration through two identity providers, Microsoft Entra ID and Okta, with the OpenID Connect and SAML 2.0 authentication protocols.

SSO Settings

This section describes each of the SSO settings and what they represent in . The details of these settings might differ based on your IdP.

OpenID Connect Settings

SettingDescription
Callback URLThe callback URL is configured in the IdP (not ) to indicate where users should be returned once they perform the authentication against the IdP.
OAuth Client IdThe client Id associated with the OAuth application created in the IdP.
OAuth Client SecretThe client secret associated with the OAuth application created in the IdP.
Audience URIsThe intended recipient of SSO login tokens. This ensures that tokens generated by the SSO platform are intended for use by . Set this value to the URI that identifies as a trusted application in your SSO platform (for example, the Application Id that the SSO platform generated for ). To accommodate multiple URIs, supply a comma-separated list.
Discovery URLRequired to import settings from your SSO provider.
Issuer CertificateThe public portion of the certificate that the IdP uses to sign JWT tokens. This helps ensure that only tokens generated by the expected IdP are accepted.
Token Issuer IdentifierThe identifier used by the IdP when generating JWT tokens. validates tokens to ensure that they include this identifier. This helps ensure that only tokens generated by the expected IdP are accepted.
Authorization URLThe URL where the user should perform authorization via the IdP. When an SSO user attempts to login in to , the application redirects the user to this URL where they enter their SSO platform credentials.
Token URLThe URL where a secure authentication token can be obtained from the IdP.
Logoff URLSpecifies where the user is redirected after logging out of the application.
Default ScopesA space-separated list of scopes (sets of permissions) to request from the IdP. Typically the scope(s) should at least include profile openid to request identity verification.
Key ClaimThe value from the IdP to treat as the federation Id. In other words, this specifies the claim to use as the federation Id when mapping users from the IdP to usernames.
Token Signature AlgorithmWhich signature algorithms are accepted from signed JWT tokens. Unsigned tokens are never accepted.
Just-in-Time (JIT) ProvisioningWhether a new user account is created automatically in when a user first logs in. User details are based on the attributes provided in the claim.
Default RoleThe Role (Support, Standard, or Admin) assigned to accounts created during JIT provisioning. If you select No Default Role, the role specified in the claim is used.

SAML 2.0 Settings

SettingDescription
Assertion Consumer Services (ACS) URLThe endpoint on the application where the IdP sends the SAML authentication response after a user successfully logs in. This is similar to the Callback URL setting in OpenID.
Audience URIA unique identifier (typically the application’s Entity ID) that the SAML assertion is intended for. Used to validate that the response is meant for your application.
SAML Discovery URLThe endpoint used to determine which IdP should be used for authentication. Required to import settings from your SSO provider.
Issuer CertificateThe public portion of the certificate that the IdP uses to sign JWT tokens. Helps ensure that only tokens generated by the expected IdP are accepted.
Entity IDA globally unique identifier used to identify an IdP or service provider in a SAML authentication process (often formatted as a URI).
SSO URLThe IdP endpoint where the service provider redirects the user to initiate the SAML authentication flow.
Logoff URLSpecifies where the user is redirected after logging out of the application.
Just-in-Time (JIT) ProvisioningWhether a new user account is created automatically in when a user first logs in. User details are based on the attributes provided in the SAML assertion.
Default RoleThe Role (Support, Standard, or Admin) assigned to accounts created during JIT provisioning. If you select No Default Role, the role specified in the SAML assertion is used.

Configuring Microsoft Entra ID for SSO

The following sections explain how to set up Microsoft Entra ID for SSO via either OpenID Connect or SAML 2.0.

OpenID Connect Configuration

Single sign-on (SSO) with Microsoft Entra ID streamlines access to , enabling just-in-time provisioning at the time of login. The following steps explain how to set up Microsoft Entra ID for SSO with the OpenID Connect protocol.
  1. Log in to the Azure portal and open Microsoft Entra ID.
  2. Log in to and select Settings > SSO to open the Single Sign-On (SSO) Settings dialog box.
  3. Browse to Entra ID > App registrations > New registration and create an application registration for . Follow the prompts to complete the process.
  4. In your app registration, set the redirect URL to the Callback URL value that is specified in the Single Sign-On (SSO) Settings dialog box in , as shown below. Redirect URL configuration in Azure app registration
  5. In the Single Sign-On (SSO) Settings dialog box in , specify the following properties:
    1. Set the Client ID property to the value of Application (client) Id that is found in the new app registration shown below. Application client ID in Azure app registration
    2. Set the Client Secret property to the value of the new client secret that you created in the Client credentials section of your app registration.
    3. Set Discovery URL to the OpenID Connect MetaData document value from the Endpoint page in your app registration. Then, click Import to import the remaining settings into .
  6. Click Save and Test in to verify the SSO configuration. opens a new tab and prompts you to sign in to your Microsoft account. If the test succeeds, displays a success message along with claim details.
  7. (Optional) Update your user account with your federation Id.
    1. Copy the federation Id from the Single Sign-On (SSO) Settings dialog box in step 5.
    2. Navigate to Settings > Users. Then, locate your user account and click Edit.
    3. Add the federation Id to your user account. Then click Save to save your change and exit the dialog box.
At this point, you have completed the basic OpenID Connect SSO setup, allowing your users to log in to through Microsoft Entra ID.

SAML 2.0 Configuration

With SAML-based single sign-on (SSO), users can seamlessly authenticate through their organization’s identity provider, enabling just-in-time provisioning at the time of login. The following steps explain how to set up Microsoft Entra ID SSO with the SAML 2.0 protocol.
  1. Log in to the Azure portal and open Microsoft Entra ID and navigate to the Enterprise applications page.
  2. Select New application > Create your own application. In the Create your own application dialog box:
    1. Enter a name for your application (for example, CData Arc).
    2. Specify what you want to do with your application by selecting one of the options under What are you looking to do with your application?
    3. Click Create.
  3. In your newly created application, select Set up single sign on.
  4. Select SAML as the sign-on method.
  5. Log into and select Settings > SSO. On that SSO tab, click Configure in the Single Sign On (SSO) Settings section. This action displays the Single Sign On (SSO) Settings dialog box.
  6. Select SAML 2.0. This selection displays the Assertion Consumer Services (ACS) URL and the audience URI. SAML 2.0 SSO settings dialog showing ACS URL and audience URI
    Keep this dialog box open because you need to return to it later in these steps.
  7. In Entra ID, set Reply URL (Assertion Consumer Service URL) to the Assertion Consumer Services (ACS) URL value in . Then, set Identifier (Entity ID) in Entra ID to the Audience URI value in .
    Leave the Sign on URL text box empty if you plan to use sign-on initiated by your identity provider.
  8. In the Single Sign-On (SSO) Settings dialog box, set Discovery URL to the App Federation Metadata URL value that is found in Entra ID. Then, click Import to import the remaining settings into .
  9. Click Save and Test in to verify the SSO configuration. opens a new tab and prompts you to sign in to your Microsoft account. If the test succeeds, displays a success message along with claim details.
    If you use the .NET edition, see Known SAML 2.0 Configuration Issue for .NET for information on a .NET issue that can affect the test.
  10. (Optional) Update your user account with your federation Id.
    1. Copy the federation Id from the Single Sign-On (SSO) Settings dialog box in step 9.
    2. Navigate to Settings > Users. Then, locate your user account and click Edit.
    3. Add the federation Id to your user account. Then click Save to save your change and exit the dialog box.
At this point, you have completed the basic SAML SSO setup, allowing your users to log in to through Microsoft Entra ID.

Configuring Okta for SSO

The following sections explain how to set up Okta for SSO via either OpenID Connect or SAML 2.0.

OpenID Connect Configuration

Single sign-on (SSO) with Okta streamlines access to , enabling just-in-time provisioning at the time of login. The following steps explain how to set up Okta for SSO with the OpenID Connect protocol.
  1. Log in to the Okta Admin Console and select Applications > Applications > Create App Integration. Okta create app integration
  2. In the Create a new app integration dialog box, select OIDC - OpenID Connect for Sign-in method and Web Application for Application type. Then click Next. Create new app integration dialog in Okta
  3. Log in to and select Settings > SSO to open the Single Sign-On (SSO) Settings dialog box.
  4. In Okta, set the redirect URI to the Callback URL value that is specified in the Single Sign-On (SSO) Settings dialog box in , as shown below. Redirect URI configuration in Okta Then, click Next to create your application.
  5. Locate and copy the Issuer URL, as follows.
    1. Click the Sign-On tab for your application in the Okta Admin Console.
    2. Scroll to the OpenID Connect ID Token section.
    3. Copy the URL from the Issuer field.
    If you want to sign in through an authorization server, you must obtain the Issuer URL for that particular server. In the Okta Admin Console, click Security in the left navigation pane, and then select API to display the Authorization Servers list. Locate your authorization server and copy the URL from the Issuer field.
  6. In the Single Sign-On (SSO) Settings dialog box in , specify the following properties:
    1. Set the Client ID and Client Secret properties to the corresponding values that are found on the General tab in Okta.
    2. Set Discovery URL to the Issuer URL that you copied previously, and append the OpenID Connect Discovery endpoint (.well-known/openid-configuration). Example: https://MyOrganization.okta.com/.well-known/openid-configuration Then, click Import to import the remaining settings into .
  7. Click Save and Test in to verify the SSO configuration. opens a new tab and prompts you to sign in to your Okta account. If the test succeeds, displays a success message along with claim details.
  8. (Optional) Update your user account with your federation Id.
    1. Copy the federation Id from the Single Sign-On (SSO) Settings dialog box in step 6.
    2. Navigate to Settings > Users. Then, locate your user account and click Edit.
    3. Add the federation Id to your user account. Then click Save to save your change and exit the dialog box.
At this point, you have completed the basic OpenID Connect SSO setup, allowing your users to log in to through Okta.

SAML 2.0 Configuration

With SAML-based single sign-on (SSO), users can seamlessly authenticate through their organization’s identity provider, enabling just-in-time provisioning at the time of login. The following steps explain how to set up Okta for SSO with the SAML 2.0 protocol.
  1. Log in to the Okta Admin Console and select Applications > Create App Integration. This step opens the Create a new app integration dialog box.
  2. Select SAML 2.0 as the sign-in method. Then, click Next, which opens the Create SAML Integration dialog box.
  3. Enter a descriptive name (for example, ) for your application in the App Name text box. You can also add a logo for your application, if you choose. Then, click Next.
  4. In the application, click the SSO tab on the Settings page. On that tab, click Configure in the Single Sign On (SSO) Settings section. This action displays the Single Sign On (SSO) Settings dialog box.
  5. Select SAML 2.0. This selection displays the Assertion Consumer Services (ACS) URL and the audience URI. SAML 2.0 SSO settings dialog showing ACS URL and audience URI
    Keep this dialog box open because you need to return to it later in these steps.
  6. In Okta, enter the Assertion Consumer Services (ACS) URL value from into the Single sign on URL text box. Then, enter the Audience URI value from into the Audience URI (SP Entity ID) text box. You can leave the default settings for the remaining Okta fields.
  7. In , set Discovery URL to the domain of your registered Okta organization, followed by /oauth2/default/.well-known/openid-configuration. Example: https://trial-1234567.okta.com/oauth2/default/.well-known/openid-configuration Then, click Import to import the remaining settings into .
  8. Click Save and Test in to verify the SSO configuration. opens a new tab and prompts you to sign in to your Okta account. If the test succeeds, displays a success message along with claim details.
    If you use the .NET edition, see Known SAML 2.0 Configuration Issue for .NET for information on a .NET issue that can affect the test.
  9. (Optional) Update your user account with your federation Id.
    1. Copy the federation Id from the Single Sign-On (SSO) Settings dialog box in step 8.
    2. Navigate to Settings > Users. Then, locate your user account and click Edit.
    3. Add the federation Id to your user account. Then click Save to save your change and exit the dialog box.
At this point, you have completed the basic SAML SSO setup, which enables you to log in to through Okta.

Just-in-Time (JIT) User Provisioning

As mentioned earlier, Just-in-Time user provisioning enables to create and manage user accounts automatically at first login by using information that is provided by your identity provider. JIT provisioning is particularly useful when users access through an identity provider for the first time, and the application receives a secure message confirming their identity. The resulting account is assigned a default role, as specified in the SSO settings. This functionality streamlines user onboarding and ensures account details remain consistent with identity claims. When a user logs in to by using SAML or OpenID Connect, searches for that user via a federation Id.
  • If a user does not exist, creates a new user automatically by using the information that is provided in the authentication claim.
  • If a user does exist, updates the user’s username and email if they do not match the claim values.

Requirements and Mappings in your Identity Provider

Identity-provider requirements vary depending on whether you use SAML 2.0 or OpenID Connect. This section explains claim requirements for each authentication method. OpenID Connect
  • By default, subcontrols are mapped to the user’s role and the claim is mapped to the federation Id. As an option, admin users can use a different field (for example, oid) by setting the Key Claim property in .
  • The Email claim maps to Email Address in .
  • The preferred_username claim maps to name in .
SAML 2.0
  • The NameID and Email claims are required.
  • (Optional) You can add the Name claim, which maps to Username in .
  • (Optional) You can add the Role claim, which controls the user’s role.

JIT Configuration in Arc

To enable and configure JIT provisioning in :
  1. Enable JIT provisioning, as follows:
    1. Select Settings > SSO in .
    2. Click the tablet and pencil tablet and pencil icon to open the Just-in-Time (JIT) Provisioning dialog box.
    3. Select Enabled under the JIT Provisioning category.
    4. (Optional) Set a default role by selecting a role from the Default Role list.
    5. Click Save to save your selection and exit the dialog box.
When a user logs in, adjusts the role based on the following order:
  1. If the claim contains a role, searches for that role and updates the user account.
  2. If the role claim does not exist or is invalid, uses the configured default role.
  3. If a default role is not configured, the user account has no role and the Admin user must update the user’s role manually.

Known SAML 2.0 Configuration Issue in .NET

When you configure SAML 2.0 in the .NET edition, clicking the Save and Test button appears to authenticate successfully but then displays an error. This is a known .NET platform issue, and your actual SAML login is unaffected. These settings are not included in Web.Config by default because relaxing the SameSite cookie restrictions can increase exposure to cross-site request forgery (CSRF) attacks. Enabling this workaround trades stricter default security for compatibility with certain SAML 2.0 login flows in .NET. Follow these steps to work around the issue:
  1. Add the following to your Web.Config file (by default, the file is in C:\Program Files\CData\CData Arc\www):
    • cookieSameSite="None" requireSSL="true" in authentication mode="forms"
    • sameSite="None" requireSSL="true" in httpCookies
    • cookieSameSite="None" cookieless="UseCookies" in sessionState
  2. Restart Arc with HTTPS.
This sample Web.Config file shows the necessary updates: 
<configuration>
  <system.web>
    <!--  ... -->
    <authentication mode="Forms">
      <forms name="Arc" path="/" loginUrl="~/login.rst" protection="All" timeout="30" defaultUrl="~/default.rst" cookieSameSite="None" requireSSL="true">
      </forms>
    </authentication>
    <!--  ... -->
    <httpCookies httpOnlyCookies="true" sameSite="None" requireSSL="true"/>
    <sessionState timeout="10" cookieSameSite="None" cookieless="UseCookies" />
    <!--  ... -->
  </system.web>
</configuration>