Managing Single Sign-On
After you've configured Single Sign-On (SSO) using a third party identity provider (IdP), you may find you need to update the configurations. You can also disable it and then re-enable it later, if desired.
You can't delete a Single Sign-On configuration after it's added to the system.
You can update the Name and Description of an existing Single Sign-On configuration. You can also reconfigure the settings to enable SSO using a different identity provider.
To edit the IdP configurations for SSO:
- Log in to the Secure Endpoint Console as a user with Manage permissions for Authentication. The System Administrator role is the only Default role with this permission.
- On the navigation bar, click Settings > Authentication settings.
- In the Single Sign-On area, click View Identity Provider. The existing configuration information for the IdP shows.
- Click Edit to open the Set up Single Sign-On dialog.
-
Do one of the following:
-
To update the properties for the existing IdP:
- Click the Name field and edit the name of the Single Sign-On configuration.
- Click the Description field and edit the description.
-
To set up Single Sign-On for a new IdP:
- Click Download Metadata and save the absolute-metadata.xml file to a location on your workstation.
-
Click Download Encryption and Signing Certificates. The absolute-cert-<expiration date>.pem file is downloaded.
Depending on the number of certificates included in the package, one of the following files is downloaded:
- absolute-cert-<expiration date>.pem: individual certificate file containing the SP public key for both encryption and signature verification
- absolute-certs-<expiration date>.zip: zip file containing multiple .pem files for encryption, signature verification, or both
-
Log in to the new identity provider and complete the steps to add Absolute as a new SAML service provider A system entity that relies on a trusted identity provider (IdP) for user authentication and authorization. (SP).
Depending on your IdP, you may be able to add configurations by uploading the certificate file you downloaded, the metadata file you downloaded, or both. For more information about adding a new SP to your IdP, refer to the documentation provided by your IdP.
- Download the IdP metadata file that was generated when you added Absolute to your IdP. Save the file to a location on your workstation.
- On the Set up Single Sign-On page in the Secure Endpoint Console, click the Name field and edit the name for this new Single Sign-On configuration.
- Click the Description field and edit the description.
- To replace the existing IdP metadata file, click Import Metadata and navigate to the location of the metadata file you downloaded from your IdP. The file must be in XML format and be 500 KB or less in size.
-
- Click . The SSO configurations are updated.
If you set up a new identity provider by uploading a new IdP metadata file, it may take up to 30 minutes for the changes to take effect.
To disable Single Sign-On:
- Log in to the Secure Endpoint Console as a user with Manage permissions for Authentication.
- On the navigation bar, click Settings > Authentication settings.
- In the Single Sign-On area, click .
-
On the confirmation message, click
.Single Sign-On is disabled, and a SSO disabled event is logged to Event History. If SCIM integration was enabled, it is also disabled.
Going forward, users will use the Absolute Identity Provider to log in to the Secure Endpoint Console. Each non-suspended user will receive an email containing a link to reset the password for their Absolute user account.
If an identity provider is already configured for your account, you can re-enable Single Sign-On if it's disabled.
To re-enable Single Sign-On:
- Log in to the Secure Endpoint Console as a user with Manage permissions for Authentication.
- On the navigation bar, click Settings > Authentication settings.
- In the Single Sign-On area, click .
- On the confirmation message, click .
Single Sign-On is re-enabled, and a SSO enabled event is logged to Event History.
If your IdP is experiencing an issue and is unavailable, System Administrators can bypass the IdP and log in directly to the Secure Endpoint Console. Learn more