Service-level response times are the same as for general-release features. Although this new feature/technology has undergone significant testing and is not expected to change significantly prior to general release, the use of this feature/technology is not recommended for production environments. You are encouraged to use this feature/technology for development and testing purposes only.
Table of Contents
Security Assertion Markup Language (SAML) is an XML standard used to authenticate users from an Identity Provider (IdP) to a software provider. SAML allows a user to log on once to a site (an IdP) and have access granted to affiliated Web sites. With SAML and SSO, an organization can require two-factor authentication, enforce geo-location restrictions, and send authentication logs to an IDS (Intrusion Detection System).
RightScale has SAML 2.0-based Single Sign-On (SSO) functionality for Enterprise Plan customers who request this feature. With this feature enabled, you can synchronize a RightScale account with an existing identity provider (such as OneLogin, Okta, PingIdentity, etc.) to create, update, and provision users to access RightScale.
Note: You must already have a SAML identity provider -- such as OneLogin, Okta, PingFederate, or ADFS -- currently set up. If you are using a hosted solution, you may wish to search for the RightScale app by name to see if your provider offers a guided setup process.
Use the following information to set up a trust relationship with RightScale's SAML Service Provider:
|Entity ID|| |
|saasid (if prompted)|| |
|Assertion Consumer Service URL|| |
Depending on your identity provider, you may need to enter either all three or just two of the above items.
Note: We do not provide an XML metadata URI at this time. You will need to manually configure the trust relationship.
The discovery hint is what your users would type into the "SSO Identifier" field if they arrived at the RightScale login page without having performed IdP-initiated login, or if they wanted to link their existing RightScale user to your IdP.
Your organization's domain name (e.g. exampledomain.com) is a good choice for a discovery hint. The hint must be a well-formed (but not necessarily valid) DNS name, and must be unique within the RightScale platform.
If you are concerned about revealing to third parties that you use RightScale, then you should specify a non-obvious discovery hint.
Note: The Discovery Hint/SSO Identifier must be in the form of a domain name and not just a single word.
Please provide the following information to your RightScale account manager:
RightScale will call the provided Business Contact after verifying the information with our CRM database to grant access to this feature. RightScale will then provide you with the final information you need, such as the "Relay State Value," to set up your IdP.
Once access to SAML SSO has been set up for a RightScale account, there are two main use cases to consider:
Note: As a safety measure, the "Mandatory Single Sign-On" setting, which compels anyone who interacts with your enterprise accounts to authenticate through your IdP, must be enabled or disabled by a RightScale Technical Account Manger (TAM). Contact your TAM to enable this feature.
You can enable SAML SSO for a user by logging in, then navigating to Settings > User Settings > Authentication.
To log in with SAML SSO, choose "Use Single Sign-On" on the RightScale login page. Enter the Discovery Hint identifier provided by your company's security administrator.
After logging in, you are authenticated against your IdP and automatically directed to the RightScale Dashboard.
Note: RightScale creates an informational cookie on your machine with the Identifier you provide. This way, you will not need to enter your Identifier every time you login using Single Sign-On. However, you should remember your Identifier in order to login from different machines.
You can also create user accounts that are pre-configured with SAML through our provisioning API. This enables third parties like Okta and PingIdentity to automatically create users from Active Directory or other identity sources. Similarly, you can create your own synchronization scripts to connect to any proprietary identity stores.
|Glossary | 用語 | 용어||Site Map | Site Help||Community||Corporate Site||Get Support||Dashboard Login|
|Doc Feedback||Product Feedback||Resources||MultiCloud Marketplace||Forums|
© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.