---
title: "SSO sub-tab"
slug: "sso-sub-tab"
updated: 2023-04-17T16:58:26Z
published: 2023-04-17T16:58:26Z
canonical: "docs.zpesystems.com/sso-sub-tab"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.zpesystems.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SSO sub-tab

With Single Sign-On (SSO), users authenticate once to gain access to multiple secured systems without resubmitting credentials. Nodegrid currently supports multiple identify providers. ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678894714465.png)

### Add SSO

1. Go to *Security :: Authentication :: SSO*.
2. Click **Add** (displays dialog). ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678895333498.png)
3. Enter **Name.**
4. On **Status** drop-down, select one (Enabled, Disabled).
5. Enter **Entity ID** (globally unique name).
6. Enter **SSO URL.**
7. Enter **Issuer.**
8. On *X-509 Certificate*menu, select one:
  - **Local Computer** radio button (expands dialog). Click **Choose File** to locate and select file. ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678895306051.png)
  - **Local System** radio button (expands dialog). On **Certificate Name** drop-down, select one. ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678895277660.png)
  - **Remote Server** radio button (expands dialog). ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678895232510.png)
    - Enter **URL** (URL can be the IP address or hostname/FQDN. If using IPv6, use brackets [ ... ]. Supported protocols: FTP, TFTP, SFTP, and SCP.).
    - Enter **Username** and **Password.**
    - (optional) Select **The path in url to be used as absolute path name** checkbox.
  - **Text Input** radio button (expands dialog). Enter in **Certificate** text box. ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678895204811.png)
9. Select **Force Re-authentication** checkbox.
10. Select **Sign Request** checkbox.
11. Select **Enable Single Logout** checkbox (expands dialog). Enter **Logout URL**. ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678895140621.png)
12. (optional) **Icon**, click **Select Icon** (expands dialog). Click on a logo to set as 2-Factor icon. ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678895119543.png)
13. Click **Save**.

The following fields are required to configure a successful SAML flow for each Identity Provider:

**SAML Requirements**

| **Identity Provider (IDP)** | **Copy Fields from Nodegrid to IdP** | **Paste Fields from IDP to Nodegrid** |
| --- | --- | --- |
| Duo | Login URL Entity ID | SSO URL Entity ID Download Certificate |
| Okta | Single Sign On URL Audience URI (SP Entity ID) | Identity Provider SSO URL Identity Provider Issuer X.509 Certificate |
| G Suite | ACS URL Entity ID | SSO URL Entity ID Certificate |
| Ping | Entity ID ACS URL | Issuer Idpid The idpid from Ping is used as the SSO URL field in Nodegrid: https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid= + the idpid |
| ADFS | Entity ID (maps to Relying party trust identifier) ACS URL (maps to Trusted URL) | Entity ID (maps to Issuer on Nodegrid) |

**IdP configuration fields:**

- *Entity ID* (globally unique name for the SP URL)
- *ACS URL*(Assertion Consumer Service URL in which the Identity Provider redirects the user and sends the SAML assertion after its authentication process.)
- *Attributes* (attributes that IdP sends back with the SAML assertion. SP can have more than one attribute, nameID is the most common.)
- *SAML Signature Algorithm* (either SHA-1 or SHA-256. Used with X.509 certificate. Default: SHA-256.)

**SP configuration fields:**

- *X.509 Certificate* (certificate provided by the IdP to allow the SP to verify that the SAML assertion is from the IdP)
- *Issuer URL/Entity ID* (unique identifier of the IdP)
- *Single Sign On URL* (IdP endpoint that starts the authentication process)
- *RelayState:* (optional) (deep linking for SAML for <ip>/direct/<device>/console)
- For more information on SSO, please see [https://support.zpesystems.com/portal/kb/articles/single-sign-on-sso](https://support.zpesystems.com/portal/kb/articles/single-sign-on-sso)

### Import Metadata

1. Go to *Security :: Authentication :: SSO*.
2. Click **Import Metadata** (displays dialog). ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678895626189.png)
3. Enter **Name.**
4. On **Status** drop-down, select one (Enabled, Disabled).
5. Enter **Entity ID** (globally unique name).
6. On *Metadata*menu, select one:
  - **Local Computer** radio button (expands dialog). Click **Choose File**, locate and select. ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678895649330.png)
  - **Local System** radio button (expands dialog). On **Metadata File** drop-down, select one. ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678895665853.png)
  - **Remote Server** radio button (expands dialog): ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/image-1678895682878.png)
    - Enter **URL** (URL can be the IP address or hostname/FQDN. If using IPv6, use brackets [ ... ]. Supported protocols: FTP, TFTP, SFTP, and SCP.)
    - Enter **Username** and **Password.**
    - (optional) Select **The path in url to be used as absolute path name** checkbox.
7. (optional) **Icon**, click **Select Icon**. Click on a logo to set as 2-Factor icon.
8. Select **Force Re-authentication** checkbox.
9. Select **Sign Request** checkbox.
10. Select **Enable Single Logout** checkbox.
11. Click **Save**.