Implement Unity single sign-on (SSO) for these purposes:
- Simplify the login process. To access Unity products and services, users sign in with their company's credentials instead of a Unity ID and password.
- Reduce the risk of lost or stolen passwords through a single authentication point.
- Improve the administration workflow through user provisioning on the first user sign-in.
SSO isn't enforced by default.
SSO is available only with these Unity plans:
- Unity Enterprise
- Unity Industry plan
Prerequisites
Before you can set up SSO for your organization, ensure that you meet these prerequisites:
-
You must have the Owner or Manager user type within your organization. Read more about user types, roles, and permissions.
-
You must have created a SAML 2.0 application in your Identity Provider (IdP) service.
Unity SSO uses the Security Assertion Markup Language (SAML) 2.0 protocol. This protocol enables secure communication between the IdP and Unity.
Unity SSO supports the following IdPs:
Create a SAML 2.0 application in your IdP service
To create a SAML 2.0 application in your IdP service, follow these steps:
- Go to your organization's IdP portal and create a SAML 2.0 application.
- On a new tab, go to Unity Cloud, and then go to Administration > Single sign on.
- Copy the values of the following metadata parameters from the Unity section:
Entity IDLogin (Assertion Consumer Service) URLCertificate
- Go back to your IdP portal and paste the values in the corresponding fields of the SAML settings.
- Add custom user attribute mapping to your SAML 2.0 connector in your IdP:
- For the custom attribute name, enter
Email. - Select the user's email address in the IdP as the field.
To authenticate the user, Unity SAML SSO needs the
Emailattribute.
- For the custom attribute name, enter
Configure SSO for your organization
To configure SSO for your organization, follow these steps:
- In Unity Cloud, go to Administration > Single sign on.
- Select Edit information next to the Identity Provider section.
- On a new tab, go to your organization's IdP portal.
- From the settings page of your SAML application, generate the following metadata parameters of the application:
Entity ID: the IdP that you're using. This parameter may be named identity provider issuer or issuer URL.SSO Login URL: the IdP login URL.X.509: the IdP certificate.
- Go back to the Single sign on page of Unity Cloud and paste the values in the corresponding fields.
- Save your changes.
Validate domains for SSO
Before you can work with SSO, you must validate your domain with Unity so that Unity recognizes you as the domain owner of your organization.
Unity uses domain validation for these purposes:
-
Domain ownership: domain validation ensures legitimate ownership and control of the domain.
-
Fraudulent activity: domain validation helps prevent domain impersonation and the fraudulent configuration of applications.
-
Trust anchor: domain validation acts as a form of trust anchor.
Other parties can't easily perform these actions:
- Claim to represent the organization, for example, your domain.
- Configure applications or services for unauthorized access or misuse of the organization's identity.
To ensure that the validated domains in your IdP and in your Unity SSO match, follow these steps:
- Sign in to Unity Cloud as the SSO configuration IT administrator.
- Go to Administration > Single sign on, and then select Add domain.
- Enter the domain for which you want to turn on SSO, and then select Add and validate.
- Copy the entire DNS TXT record from the domain information window.
- Go to the DNS management panel of your domain registrar.
- Create a DNS record of TXT type and paste the copied content into it.
- In Unity Cloud, select Validate.
- To turn on SSO for other domains, repeat this procedure.
After the record has been created, the domain status in Unity Cloud changes from Pending Verification to Active.
It may take up to 48 hours for Unity to validate your domain through DNS propagation. This process informs upstream providers about domain information before it arrives at where the hosting region is. Unity SSO doesn't work for that domain until the domain is fully validated.
After a domain has been validated, other organizations can't claim it until you delete the record from your SSO configuration.
Turn off SSO for specific domains
To turn off SSO for a specific domain, follow these steps:
- In Unity Cloud, go to Single sign on > Domains.
- Select Delete next to the domain for which you want to turn off SSO.
Unity deletes the domain record from your SSO configuration.
If you want to turn on SSO again for this domain, you must first validate the domain again for SSO.
Test the SAML SSO integration
To test the SAML SSO integration, sign in to Unity using the SSO flow in one of the following ways.
Sign in to your IdP application directory
-
Go to your IdP application directory.
-
Use the IdP flow.
This flow redirects you to the Unity SSO sign-in page.
-
Enter the email for a test user, and then select Sign in.
Sign in to Unity Cloud
- Sign out of Unity Cloud.
- Go to Unity Cloud.
- Select Sign in, and then select Sign in with SSO.
- Enter the email for a test user, and then select Sign in.
Considerations
When integrating Unity SSO with your IdP, consider these points:
-
When users create a Unity ID account through SSO, Unity doesn't create the following information:
-
A password
The next time they sign in, users must select Forgot your password? and set up their password.
-
A personal organization for the new account
To create projects, users must manually create their own personal organization.
-
-
When signing in through SSO, users are automatically assigned to the organization for which SSO is set up. After sign-in, users can switch organizations and access the other organizations which they're a member of.