Adding SSO to a Tool
Overview
This document will serve as a guide on how to add Single Sign-On to a third party tool in a way in which Operations Engineering has been doing so at time of writing
Methods to adding SSO
There are currently three methods of adding SSO at MoJ for Operations Engineering tooling:
- Auth0 inbuilt SSO integration
- Auth0 SAML middleman
- Inbuilt third party tool integration
Details and any relevant instructions for the above methods are in the sections below.
Auth0 inbuilt SSO integration
The Auth0 onboard process is still a WIP, please ask within the team if you need to access it.
Please use the GitHub Social Connection for ALL SSO work on Auth0
Auth0 comes with various Plug and Play integrations that may make setting up SSO very easy, if a tool supports this, this is the easiest option but does often come with less customisation choices.
Each integration comes with a step by step guide on the Auth0 UI, please follow that to install.
Auth0 SAML middleman
The Auth0 onboard process is still a WIP, please ask within the team if you need to access it.
Please use the GitHub Social Connection for ALL SSO work on Auth0
Often Auth0 does not have a inbuilt SSO integration for the tool we want to install SSO for, in this case, Auth0 can be used as a SAML middleman, this effectively bridges the gap between GitHub (which doesn’t support SAML auth easily) and the third party tool.
Steps:
- Use this guide to create a SAML WebApp on Auth0
- Navigate to the third party tools SSO section
- Use the Auth0 SAML WebApp to fill in the following details on the third party tools SSO section
- SAML Sign-in URL: “Identity Provider Login URL”
- Key x509 Certificate: “Identity Provider Certificate”
- A TXT record may have to be added to the “digital.justice.gov.uk” domain on Route53 to validate it as an SSO target
Inbuilt third party tool integration
The Auth0 onboard process is still a WIP, please ask within the team if you need to access it.
Please use the GitHub Social Connection for ALL SSO work on Auth0
Although fairly rare, sometimes a tool has it’s own inbuilt integration for SSO with GitHub, in cases like this the documentation from said third party tool will have to be followed.
Gotchas
This section includes various gotchas that we have experienced when integrating SSO to the tooling we own, please be wary of them for future SSO work:
- When turning on SSO for a tool that has previously been used with non-SSO accounts, some tools delete all non-SSO accounts, a migration plan for this must be put in place first.
- The default assigned role/permission on third party tools can often be higher than want we want, this may need tweaking for new work.
- Turning SSO allows users to consume tooling licenses/subscriptions/seats without going through us, for tools with limited available licenses, SSO may be better turned off.