Configuring SSO in Studio for User Management

DronaHQ Studio allows you to configure your own SSO provider for Managing users instead of manually adding Users to DronaHQ.

You can locate this feature by clicking on Manage Users > SSO Configuration option

Studio Support 2 SSO providers -

  1. SAML
  2. OAuth

Configuring SAML

For configuring SAML, you would require SAML Metadata configuration from your SAML IDP provider. Once you have that info, we can follow below steps for Adding SAML configuration -

  1. Go to Manage Users > SSO Configuration > + Add SAML Option

  2. Provide a Friendly Name for your SAML configuration.

  3. Add Entity ID and Login / SSO URL and Certificate File in .cer format. Select Binding type from Dropdown and add Restricted domain to let DronaHQ know to automatically redirect to SSO url when we encounter any user’s sign in request with an email id belonging to the given restricted domain.

  4. Add parameters to the Claim List. You need to map the Key name of field’s of the successful logged in users with DronaHQ fields - User Name, User Email, User Id and Group Name. User Email and User Name fields are mandatory fields which require to be mapped, but you can additionally map Group Name as well for providing restricted access of App to the end user. For Example, you may want to restrict the Finance related MicroApps to your Finance team in your organization and HR MicroApps to your HR Team in your organization and so on. By default all users will be mapped to the Default group.

  5. Enable JIT user provisioning toggle if you want DronaHQ to provision user accounts when users sign in via SAML/Oauth for the first time. This means you won’t have to manually invite each user to DronaHQ first. If you disable this toggle than refer to Manually inviting user to Sign IN using SSO option below.

  6. Copy DronaHQ SAML Metadata URL and Callback URL which you will need to configure in your SSO provider configuration.

  7. Finally, click on Save to draft.

  8. You will be able to view your recently saved SAML configuration in the above list. You can click on Test SSO button and it will open SSO Login url in a popup

  9. Once you login successfully and if everything is set up correctly, then finally you will see a success message at the bottom.

  10. Now, that testing is successful, you can click on the more option for above SSO configuration and click on Activate to make it live

  11. You should now see you configuration status is now Active

To read more on SSO configuration with SAML using OKTA refer to here.

Configuring OAuth

For configuring OAuth, you would require OAuth Client configuration from your IDP provider. Once you have that info, we can follow below steps for Adding SAML provider -

  1. Go to Manage Users > SSO Configuration > + Add OAuth Option

  2. Provide a Friendly Name for your OAuth configuration.

  3. Add Client ID and Client Secret of you oauth Client App. Add Restricted domain to let DronaHQ know to automatically redirect to SSO url when we encounter any user’s sign in request with an email id belonging to the given restricted domain. Add Scope based on permission you have given to your OAuth Client. openid scope is most commonly used scope.

  4. Add Authorization Request Endpoint, Access Token Request Endpoint and Refresh Token Request Endpoint. You can add custom keys in above api request using Advance section. DronaHQ populates it with default standard keys and in most cases you wouldn’t need to configure advance option.

  5. Add parameters to the Claim List. You need to map the Key name of field’s of the successful logged in users with DronaHQ fields - User Name, User Email, User Id and Group Name. User Email and User Name fields are mandatory fields which require to be mapped, but you can additionally map group name as well for providing restricted access of the App to the end user. For Example, you may want to restrict the Finance related Apps to your Finance team in your organization and HR specific apps to your HR Team in your organization and so on. By default all users will be mapped to the Default group.

  6. Enable JIT user provisioning toggle if you want DronaHQ to provision user accounts when users sign in via SAML/OAuth for the first time. This means you won’t have to manually invite each user to DronaHQ first. If you disable this toggle than refer to Manually inviting user to Sign IN using SSO option below.

  7. Copy DronaHQ OAuth Redirect URL and to your OAuth Client App redirect uri configuration.

  8. Finally, click on Save to draft.

  9. You will be able to view your recently saved OAuth configuration in the above list. You can click on Test SSO button and it will open SSO Login url in a popup

  10. Once you login successfully and if everything is set up correctly, then finally you will see a success message at the bottom.

  11. Now, that testing is successful, you can click on the more option for above SSO configuration and click on Activate to make it live

  12. You should now see you configuration status is now Active

Note - You can have multiple SSO configuration at the same time but it should have different Restricted Domain.

To read more on SSO configuration with OAuth using OKTA refer to here.

Invite User using SSO option

If you have disabled JIT User provisioning toggle then you need to manually invite User to your account following below steps -

  1. Go to Manage Users > + ADD USERS Option
  2. Enter Name, Email, Select Group and Role option
  3. Enable Toggle > Auto activate login with SSO