Adding an Identity Provider Connection
CLOUDOverview
Dragonfly Cloud supports Single Sign-On (SSO) integration with external identity providers (IdP) using SAML 2.0 protocol. This allows your organization to centralize user authentication and leverage your existing identity management system.
With SSO enabled, users can:
- Sign in to Dragonfly Cloud using their corporate credentials
- Benefit from your organization's security policies (MFA, password policies, etc.)
- Have their access automatically managed through your identity provider
Supported Identity Providers
Dragonfly Cloud supports the following identity providers:
- Okta: Native integration with Okta using SAML 2.0
- Custom SAML Provider: Any SAML 2.0 compliant identity provider (Azure AD, Google Workspace, Auth0, OneLogin, etc.)
Prerequisites
Before setting up an SSO connection, you need to:
- Verify your domain: You must verify ownership of your organization's email domain. See Domain Verification for detailed instructions.
- IdP Administrator Access: You need administrative access to your identity provider to configure the SAML application.
- SAML Metadata: Your identity provider must provide SAML metadata, including:
- Metadata URL (recommended) or manual configuration
- X.509 Certificate
Adding an SSO Connection
To add a new SSO connection in Dragonfly Cloud:
- Navigate to the Access > SSO section in Dragonfly Cloud.
- Click the Create Connection button to create a new SSO connection, put down name, type and linked domains.
- Copy the following information ACS URL and Entity ID, you will need it for IdP app configuration.
- Create IdP application configuration with data from step 3.
- Provide the following information from your IdP metadata:
- Metadata URL: Metadata URL of your identity provider
- Certificate: Copy your PEM encoded certificate into form
- Click Create Connection to save your configuration
Configuring Your Identity Provider
For detailed provider-specific instructions, see:
Enabling and Managing Connections
After configuring both Dragonfly Cloud and your identity provider:
- Enable the Connection: Toggle the connection to "Enabled" to activate SSO for your domains.
- Test the Connection: Verify that users can successfully authenticate through your IdP.
- Enable SCIM (Optional): Enable SCIM provisioning to automatically manage users. See Managed Users for details.
Disabling an SSO Connection
To disable an SSO connection:
- Navigate to the connection details page
- Toggle the connection to "Disabled"
When a connection is disabled, users from associated domains will no longer be able to sign in through SSO. Existing sessions will remain active until they expired.
Disabling an SSO connection does not delete user accounts. Users created through SSO will still exist in your organization.
Multiple Domains
A single SSO connection can be associated with multiple domains.
This is useful when your organization uses multiple email domains (e.g., company.com and company.io).
Each domain can only be linked to one SSO connection at a time.
Troubleshooting
Common Issues
"Domain is not verified"
- Ensure your domain is verified before attempting to create an SSO connection. See Domain Verification.
"Domain is already used"
- A domain can only be linked to one SSO connection. Unlink it from the other connection first.
"Invalid certificate"
- Ensure the certificate is in valid PEM format and not expired.
- The certificate must be currently valid (between
notBeforeandnotAfterdates).
"Invalid metadata URL"
- The metadata URL must use HTTPS protocol.
- Ensure the URL is accessible from the internet.
"No special characters are allowed"
- Connection names can only contain alphanumeric characters, underscores, and spaces.
Security Considerations
- Always use HTTPS for all SAML URLs
- Regularly rotate your IdP certificates before expiration
- Monitor your IdP audit logs for suspicious authentication attempts
- Consider enabling SCIM provisioning to automatically deprovision users when they leave your organization
- Use your IdP's built-in security features (MFA, conditional access, etc.)