Skip to main content

Enable SSO Login

NineData supports SSO login to reduce the time and effort needed to login and to improve efficiency. This article will explain how to manage SSO login.

Prerequisites

  • You have already created or joined an organization, and the organization has subscribed to DevOps Enterprise. Please ensure that your annual or monthly subscription is still active. For more information, please refer to Manage Organizations.
  • Your current account has been switched to the target organization. For more information, please refer to Switching to an Organization.
  • Your role is a system administrator. For more information, see Roles.
  • An IdP provider has already been registered. This article will use Azure AD as a demonstration.

Notes

  • After SSO login is enabled, the identity of the current organization will change from ORG to SSO. Except for Administrator, all members can only log in to the organization through SSO.
  • After SSO login is enabled, Administrator cannot add members by Inviting users, but can only add them by creating SSO users.
  • To disable SSO, there must be a Administrator role in the organization with another Account Type called General, otherwise SSO cannot be disabled.

Steps

  1. Log in to the NineData Console.

  2. Click Account > Organization on the left navigation bar.

  3. On the Organization Info page, click on the toggle switch next to Login With SSO to enable SSO login, and then configure according to the table below.

    Parameter
    		Description
    Open Login With SSOSwitch to enable SSO functionality.
    Protocol TypeSupports two protocols: SAML 2.0 and OAuth 2.0.
    • SAML 2.0: An XML-based open standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP).
    • OAuth 2.0: An authorization framework that allows users to grant third-party applications access to their resources without exposing their username and password.
    Organization domainEnter your organization's domain. You can directly input your organization's name.
    Org Login URLThe system automatically generates Org Login URL based on the entered Organization domain. This link can subsequently be used to log directly into the target organization.
    OAuth Service Provider Metadata (OAuth 2.0)Automatically generates Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) based on the entered Organization domain. Used for association on the IdP provider's configuration page. For more information, see DingTalk Integration with NineData SSO.
    Parameters (OAuth 2.0)Enter the information obtained from the IdP provider. For more information, see DingTalk Integration with NineData SSO.
    SAML Service Provider Metadata (SAML 2.0)Automatically generates Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) based on the entered Organization domain. Click Download to the right of SAML Service Provider Metadata to associate via the downloaded XML file in the IdP provider's console and obtain the metadata information required for SSO login. For more information, see Feishu Integration with NineData SSO.
    Metadata (SAML 2.0)Enter the certification information obtained from the IdP provider for Identifier (Entity ID), Login URL, Logout URL, and Certificate respectively. You can also click Upload File to Auto-recognition to upload the Federation Metadata XML file downloaded from the IdP provider to automatically populate the metadata information. For more information, see Feishu Integration with NineData SSO.
    Allow SSO Account Auto-join (Optional)Enable as needed. When enabled, users logging into NineData via SSO will be automatically added to NineData, eliminating the need for you to perform the Create SSO User operation in advance.
    Note: If the administrator disables SSO login later, SSO users in the organization will no longer be able to log in, while General users will be unaffected.
    Default Role (Optional)Optional when Allow SSO Account Auto-join is enabled. Specifies the default role(s) bound to automatically joined SSO users, supporting single or multiple selection.
    User information mapping (Optional)Used after enabling SSO to automatically write user fields returned by the Identity Provider (IdP) into the user profile within the NineData system. Configuring field mapping automatically populates basic information such as email, phone number, and username upon the user's first SSO login, reducing the administrative workload of manual entry.

  4. Click Save.

Appendix: Configuring Applications in Azure AD

  1. Sign in to the Azure portal using an administrator account.

  2. In the top search bar, type Enterprise applications and click Enterprise applications in the search results.

  3. Click New application and on the Browse Azure AD Gallery page, click Create your own application.

  4. In the window that pops up on the right, customize the application name and select Integrate any other application you don't find in the gallery (Non-gallery) below, and then click Create.

  5. After the application is created, the page automatically redirects to the overview page of the application. Click Single sign-on in the left navigation bar, and click SAML as the sign-in method.

  6. On the Set up Single Sign-On with SAML page, click Upload metadata file, select the XML file downloaded in Enabling SSO Login step, and click Add.

  7. On the Basic SAML Configuration page that pops up on the right, click Save.

  8. Scroll down to the third section (SAML Certificate) on the page and click Download on the right of Federation Metadata XML.

    tip

    The XML file contains metadata information (Azure AD Identifier, Login URL, Logout URL, Certificate) required for SSO login. If you do not download this XML file, you can manually record the metadata information in the fourth section and download the certificate (base64) in the third section.

Last updated on