HomeGuidesAPI ReferenceChangelog
Guides

Setup Single Sign-On (SSO)

This guide describes how to configure Single Sign-On (SSO) for RegScale using industry-standard authentication protocols. It includes setup instructions for OAuth (including Azure AD and Okta) and SAML configurations. SSO allows users to sign in to RegScale using credentials from a centralized Identity and Access Management (IAM) solution. This enables centralized user management, support for Multi-Factor Authentication (MFA), integration with enterprise authentication monitoring tools, and improved security through adaptive authentication methods. RegScale supports both OAuth 2.0 and SAML for SSO.

Suggest Edits

OAuth Configuration

Prerequisites

  • Your IAM solution must support OAuth 2.0.
  • OAuth token must include the following claims: family_name, given_name, email, preferred_username, and optionally roles.

Step 1: Configure IAM

  1. Register a new application in your IAM system.
  2. Generate a Client ID and identify the Authority URI.
    • Example: https://dev-123456.okta.com/oauth2/default
  3. Provide these values to your RegScale administrator.

See provider-specific steps:

Step 2: Configure RegScale

  1. In RegScale, open the profile menu and select Automation Manager.
  2. Choose the OAuth tile.
  3. Click Configure.
  4. Enter the values:
    • Client ID: Value from IAM configuration
    • Authority: URI from IAM configuration
    • Redirect URI: https://<your-regscale-domain>/login
  5. Toggle Enable OAuth Single Sign-On (SSO).

Step 3: Assign Roles

To map users to RegScale roles:

  • Ensure your IAM groups or token include a roles claim.
  • RegScale matches the value to defined roles.

See Role-Based Access Control for available roles.

Step 4: User Login

Users log in via the SSO Auth button on the login page. If multiple tenants are configured, users will select the appropriate one.

Configure Microsoft Entra

  1. Log in to Azure Portal.
  2. Navigate to Entra > App Registrations.
  3. Click + New Registration:
    • Name: RegScale
    • Supported account type: Accounts in this organizational directory only
    • Redirect URI: SPA, e.g., https://<your-regscale-domain>/login
  4. After registration, note:
    • Application (client) ID
    • Directory (tenant) ID https://login.microsoft.com/<Directory(tenant) ID>/v2.0/
    • Redirect URI https://<your-regscale-domain>/login
  5. Configure token attributes:
    • Go to Token Configuration
    • Add optional claims: family_name, given_name, email

Entra Role Mapping

To map Azure roles to RegScale:

  1. Under the app, go to App Roles.
  2. Add roles matching RegScale roles (e.g., Administrator).
  3. Under Users and Groups, assign users to the roles.

Configure Okta

  1. Log in to Okta Admin Console.
  2. Go to Applications > Add Application.
  3. Choose Single Page App and OpenID Connect.
  4. Set:
    • Name: RegScale
    • Redirect URI: https://<your-regscale-domain>/login
    • Grant Types: Enable Authorization Code and Refresh Token
  5. Save and collect:
    • Client ID
    • Authority (e.g., https://dev-123456.okta.com/oauth2/default)
  6. Configure RegScale using the collected values.

Okta Role Mapping

  1. In Okta, create a custom claim named roles.
  2. Map Okta groups to this claim according to RegScale role names.
  3. RegScale will assign roles during first login based on this claim.

See Okta Claims Guide for details.

SAML Configuration

Note: RegScale recommends OAuth. Use SAML only if required by your organization. Only one authentication method (OAuth or SAML) can be active per tenant.

SAML in RegScale is SP initiated login. Note this when creating the application in your SAML provider.

  1. Log in to RegScale as an admin.
  2. Go to Automation Manager > SAML.
  3. Click Config and paste a valid JSON config (see example below).

Configuration JSON Example

{
  "IdPMetadata": "https://dev-08722230.okta.com/app/exkdg7dgikWTfuRYX5d7/sso/saml/metadata",
  "Issuer": "Okta_SAML_Example",
  "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
  "CertificateValidationMode": "ChainTrust",
  "RevocationMode": "NoCheck"
}
  • IdPMetadata: Your IdP’s SAML metadata endpoint.
  • Issuer: Must match the IdP’s expected value.

Notes

  • Custom Attributes of the following:
<saml2:Attribute  
        Name="Email"  
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<saml2:Attribute  
        Name="LastName"  
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<saml2:Attribute  
        Name="FirstName"  
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  • Then nameID should be urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress or Email address
  • If you are using RegScale SaaS and require two-way encryption, contact RegScale to exchange a certificate.

Additional Resources

Updated about 1 month ago