Configure SSO to support multiple tenants

Note

SSO multi-tenant support is not provided by default. If you need to support multiple tenants in your SSO configuration, contact Support and request it in addition to the SSO feature.

If you have multiple Moogsoft Cloud tenants (such as a test instance and a production instance) and need to enable the same SSO configuration for all of them, you must use the multi-tenant setup option to configure SSO.

Important

Be sure to use this method for SSO setup on multiple tenants; completing the SSO configuration separately for different tenants will fail to work consistently.

To configure SSO for multiple tenants:

Set up SSO for one of your tenants. Moogsoft supports:
This first configured instance is your primary instance for your SSO configuration. When you enable SSO multi-tenancy on your subsequent instances, they will receive SSO configuration information from this primary instance. For more information, see Manage multi-tenant SSO.
After setting up SSO on the first tenant, be sure to enable and test SSO. Log in using SSO as the other procedures direct.
On the Single Sign-On (SSO) page of your configured tenant, click Show multi-tenant configuration.
Copy the Connection ID string.
Disable the authentication provider.
- For OIDC:
  Navigate to Settings > Single Sign-On and click View Configuration, then click Disable.
- For PingFederate:
  Navigate to Settings > Single Sign-On and click Disable Authentication Provider.
Disabling SSO allows you to log in to your other tenants during the configuration process without SSO attempting to authenticate you with a partially functioning setup.
Note
At this point, no one will be able to log in using SSO. It is important to finish configuring your additional tenants so that users can log in properly.
Log in to Moogsoft on your second tenant.
Navigate to Settings > Single Sign-On.
In the Multi-tenant Setup box, click Configure.
In the dialog that opens, paste the Connection ID string in the Connection ID box.
Under Login Domains, enter a domain and click Add Domain.
Repeat for additional domains.
NOTE: You must include at least one login domain. You can add additional login domains at any time.
Click Save and Enable.
Paste the Connection ID and configure at least one login domain as indicated for all tenants sharing the same SSO configuration.
When you have completed configuring SSO on all other applicable tenants, log in to your first tenant from Step 1.
Re-enable the authentication provider:
- For OIDC:
  On the Single Sign-On page, click View Configuration, then click Enable.
- For PingFederate:
  On the Single Sign-On page, click Finish Configuration and then re-enable the authentication provider.
This enables SSO for all configured tenants.
(Optional) Configure groups and roles for the additional tenants.
Configuring group and role mappings is an optional, but recommended, step. Keep in mind that if roles are not configured for users, and no default role is set up, then all users who are added to the system via SSO will have administrator permission.
Navigate to Settings > Single Sign-On. Under Role and Group Mapping (Optional), click Edit Mappings.
1. Add one or more additional scopes:
  Note
  Only add additional scopes if you do not have the data you need in Auth0. If you add a field which does not exist in the payload, then your users will be authenticated but will be unable to use the application.
  In the Additional Scopes field, enter a space-separated list of scopes that Moogsoft can request from the external authentication system. This list must include the scopes the system will use for group mapping and any scopes used for other purposes. For example: preferred_contact location department.
  Moogsoft automatically adds openid email profile if these scopes are not provided.
2. Add SSO role mappings:
  Use this section to map each claim value to the corresponding Moogsoft role.
  NOTE: You can create custom roles in Moogsoft to map to your SSO roles. See Custom roles for details.
  Under Role Mappings, click Add Role Mapping.
  In the Add Role Mapping dialog, enter the Role Claim Key and the Role Claim Value in the indicated fields.
  Click Select Role and, from the list that opens, select the Moogsoft role to map to the selected Claim Value.
  Click Add Mapping.
  Tip
  By default, users with no role are assigned the Admin role. You can select a different default role, and even create a custom role for this purpose.
  Enter the claim key in the Role Claim Key field.
  Enter default for the Role Claim Value.
  Click Select Role and select the role to use as the default from the list.
  When users are added that do not have a role assignment, they will now be assigned this default role.
3. Add your SSO group mappings:
  Map your group claim values to Moogsoft groups. To map an SSO group to a Moogsoft group, you must first create the target group in Moogsoft. For information on creating user groups for SSO, see Add groups to use with SSO.
  Under Group Mappings, click Add Group Mapping.
  In the Add User Group Mapping dialog, enter the Group Claim Key, and the Group Claim Value in the indicated fields.
  Click Select User Group and, from the list that opens, select the Moogsoft group to map to the selected Claim Value.
  Click Add Mapping.
4. Click Save.

In this section:

Configure SSO to support multiple tenants

Note

Important

Note

Note

Tip

Search results