Configure SSO in SureMDM
To configure SSO with your preferred SSO provider, follow these steps:
Log in to the SureMDM Web Console as a Superuser before performing these steps.
Navigate to SureMDM Web Console > Settings > Account Settings > Enterprise Integrations > SAML Single Sign-On.
Configure the Single Sign-On settings for Generic.
| Settings | Description |
|---|---|
| Enable Single Sign-On | Select this option to allow configuring Single Sign-On settings. |
| Select Identity Provider(IdP) | Select Generic. |
| Service Identifier | Enter the Service Identifier URL obtained from your SSO provider. This URL uniquely identifies your service instance in the provider’s configuration. |
| Sign-On Service URL | Enter the Sign-On Service URL provided by your SSO provider. This is the authentication endpoint used for login requests. |
| Logout Service URL | Enter the Logout Service URL if available. This is used to redirect users during logout. Note: In most cases, the Sign-On and Logout Service URLs are the same. |
| SSO Service Provider Name | Choose Provider Name from the dropdown. |
Click Generate Certificate to generate a self-signed certificate on the server and make it available for download.
or
Click Upload Certificate to upload a certificate obtained from your SSO provider.
Use Delete Certificate or Download Certificate to remove or download an existing certificate.
Under the Dynamic Permission Assignment section, please click Add to Configure the Settings:
| Settings | Values |
|---|---|
| Attribute | Under the Role Configuration, define the Attribute Name as Group. This will refer to the group attribute of the user. For steps on how to add Attributes, please click here (e.g., Attribute: Engineering, Value: QA). |
| Condition | Select the conditions from the dropdown: 1. Contain 2. Equals 3. In Note: The condition field defines how SureMDM matches the attribute value received from the SSO provider with the value specified in the rule. |
| Value | Provide the value that the group name must match (e.g., “Admin”, “Manager”, or any other relevant group identifier). The system will look for this value within the user’s group attribute to determine if the role should be assigned. |
| Roles | Specify the roles that should be dynamically assigned to the user when the Group attribute matches the specified value. For example, if the group contains "Admin", assign the Administrator role, or if the group contains "Manager", assign the Manager role. To know more, see Configure Permissions for Role-Based Admin. |
| Device Group Set | Choose an option for Device Group Set from the drop-down menu. To know more, see Configure Permissions for Device Group Set Based Admin. |
| Jobs/Profiles Folder Set | Choose an option for Device Group Set from the drop-down menu. To know more, see Configure Permissions for Job Folder Set Based Admin. |
If the Attribute or Value does not match the information provided by the IdP:
- SureMDM assigns default permissions to the sub-user.
- The user will not receive the intended custom role.
Recommendation: Ensure that attributes and values are consistently configured between the IdP and SureMDM. - Deny Access - This option can be configured only in Default Permission and It determines whether a user should be denied access when the attribute and value conditions from the Identity Provider (IdP) do not match any of the configured roles. If Deny Access is enabled in the default permission and if the attribute and value from the IdP do not match any defined conditions (Contains, Equals, IN), SureMDM will not assign any role to the SSO user, resulting in denied access to the console.