Enable Single Sign-On
Overview
Single sign-on (SSO) allows users to log in using their corporate account credentials. When a user enters their Email ID, they are redirected to your organization's Identity Provider (IdP) authentication page. After authentication, they are redirected back to the IoT Operations Dashboard (IoT OD) and logged in.
Notes:
- Cisco IoT OD is the service provider (SP) and your organization's identity server is the Identity Provider (IdP).
- Your organization's identity provider must be compliant with the SAML 2.0 protocol.
Options for authentication only, or authentication and authorization
Single sign-on can be configured in IoT OD for 2 use cases:
- Authentication only: Your organization's IdP authenticates the user, which logs them into IoT OD. But authorization, which provides access privileges to specific functions, is applied by Cisco IoT OD.
- Authentication and Authorization: Your organization's IdP authenticates and authorizes the user.
Authentication only procedure
Complete the following procedure if your organization's IdP will authenticate users, but Cisco IoT OD will authorize their access permissions.
Prerequisites
- The customer must export and share the IdP Metadata with Cisco.
- The Cisco super admin user must import this and then share the SP metadata.
- The customer must import the SP metadata into their identity server.
- The customer must provide the SAML attribute which will contain the email id of the user. For example, Name ID/Email ID.
- All users must be created in advance with specific roles in IoT OD. Post SSO authentication, the users will be able to access IoT OD application based on the roles specified for them.
Recommended Approach: We suggest that before enabling the SSO authentication for whole organization, it is better to validate once with one user who can be the Tenant Admin of the Organization. If there are no issues then all the users now can be created and can be assigned proper roles.
To enable SSO for Cisco IoT Operations Dashboard:
- Ask your Cisco representative to integrate the Operations Dashboard with your corporate identity provider.
- The Cisco support team will contact you to start the integration process. As part of this:
- You will need to provide the identity provider's SAML metadata and the email domain(s) that will use SSO.
- Cisco will provide the required metadata for your identity provider.
- You will need to provide the keys of SAML response which will contain the below values of the user.
Email SAML Attribute (Mandatory) - Default Value : NameID
- Wait for Cisco and your identity provider to complete the SSO setup.
- After SSO setup is complete, add users to the Operations Dashboard.
Note: New users will receive a confirmation email but will not be prompted to change their password. They will use their corporate credentials to login instead.
Authentication and authorization procedure
Complete the following procedure if your organization's IDP will authenticate the user's credentials, and authorize their access permissions.
Prerequisites
- The customer must export and share the IDP Metadata with Cisco.
- The Cisco super admin user must import this and then share the SP metadata.
- The customer must import the SP metadata into their identity server.
- The Tenant Admin role must do the mapping of a role to an organization before a specified user logs in to IoT Operations Dashboard.
- The customer must provide the SAML attribute which will contain the email id of the user e.g NameID/Email ID
- Customer must send the Roles in the SAML response which will be used for authorization.
- If user has multiple roles assigned in IDP then all those roles needs to be sent in comma (,) separated format in SAML response.
To enable SSO for Cisco IoT Operations Dashboard:
- Ask your Cisco representative to integrate the Operations Dashboard with your corporate identity provider.
- Update the SAML response to send the Roles to IoT-OD. If there are multiple roles for a user, then all the roles need to be sent in different Key Value pair, but not as comma-separated values under one key.
- The Cisco support team will contact you to start the integration process. As part of this:
You will need to provide the identity provider's SAML metadata and the email domain(s) that will use SSO.
You will need to provide the keys of SAML response which will contain the below values of the user.
- Email SAML Attribute (Mandatory)
- Role SAML Attribute (Mandatory)
- First Name SAML Attribute (Optional)
- Last Name SAML Attribute (Optional)
- Phone Number SAML Attribute (Optional)
Cisco will provide the required metadata for your identity provider.
- Wait for Cisco and your identity provider to complete the SSO setup.
- After SSO Setup is complete, the Tenant Admin role for your Organization needs to go to the Access Control page and do the mapping with IDPs Role.

Multiple IDP Roles can be mapped to one IoT OD role, but the IDP Role which has been mapped once, cannot be mapped to any other IoT OD Role.
If there are subtenants, the mapping is not inherited to the lower level. The Tenant Admin needs to do the mapping for subtenants.
The Tenant Admin needs to enter the role in the same format as the one available in IDP.

- After the mapping is done, a user will be able to login to the application—after authentication and authorization by IDP.
- Roles and Permissions will be assigned to user to access IoT OD application based on the role mapping done by the Tenant Admin.