기술 자료

지원

Single sign-on

Set up single sign-on with OpenID Connect for your private cloud
읽는 시간 1분최근 업데이트: 4일 전

Overview

Streamline the management of users in Virtual Private Cloud with single sign-on (SSO) and just-in-time (JIT) user provisioning. Unity Virtual Private Cloud implements SSO through an enterprise identity provider (IdP) using the OpenID Connect (OIDC) protocol. You can use any OIDC-compliant IdP.

Just-in-time provisioning

Keycloak's JIT provisioning mechanism provides these automated features:
  • Creation of the user account on the first sign-in. You don't need to manually create users. This automated step reduces administrative overhead and enhances the user experience.
  • Population of user attributes. When setting up SSO, you set predefined mappers in Keycloak to automatically populate, on the first sign-in, user attributes from an external IdP or from Keycloak's user store.
The JIT user provisioning process occurs behind the scenes, with a seamless user experience:
  1. Virtual Private Cloud redirects, through the OIDC protocol, the new user to their IdP, to sign in.
  2. The IdP returns the user details to Keycloak.
  3. Keycloak sends these details to Virtual Private Cloud in the form of claims.
  4. Virtual Private Cloud uses these claims to create the user account on the fly.

Setup

The setup procedure differs, depending on the IdP vendor. This section provides guidance for Microsoft, with Entra ID, and for Okta. In Keycloak, the predefined unity realm stores all the settings and objects that are related to Virtual Private Cloud. When you open the Keycloak admin console, switch to the unity realm. To set up SSO for Virtual Private Cloud, complete these tasks:
1. Integrate with the identity service provider
2. Configure the user experience for SSO
To maintain security of the solution perform these tasks regularly:
1. Rotate the client secret of the SSO application