Single Sign-On (SSO) setup
Cleverbridge supports Single Sign-On (SSO), enabling your users to access the web admin tool and Cleverbridge Documentation using their corporate identity provider (e.g., Entra ID, Okta). This enhances security through centralized authentication and streamlines onboarding and is particularly useful for larger teams.
Cleverbridge supports SP-initiated SSO using Amazon Cognito as the backend identity provider.
To enable SSO access for your team, Cleverbridge requires some setup on both sides—your identity provider and our internal systems. Our team will guide you through the process to ensure a smooth onboarding experience.
1. Contact Client Experience team
To get started with your SSO integration, please contact the Cleverbridge Client Experience team.
Before reaching out, please prepare the following information:
- Identity Provider (IDP): for example, Microsoft Entra ID (Azure AD), Okta.
- Security Protocol: The authentication protocol your organization uses for SSO. Cleverbridge supports a range of industry-standard protocols, including SAML 2.0.
- Test User: At least one email address that can be used to validate the integration.
When reaching out to the Client Experience team, you will be provided the following details necessary to configure Cleverbridge in your IDP:
- Entity ID: A unique identifier for Cleverbridge as a service provider.
- Assertion Consumer Service (ACS) URL: The endpoint where your IDP sends the SAML response after user authentication.
These values are required in both Entra and Okta setups.
2. Complete the configuration
Cleverbridge is flexible and can, upon request, support SSO integration with different providers. Some of the most commonly used integrations are described below:
Microsoft Entra ID (Azure AD)
- Follow the Amazon Cognito + Azure AD guide, and complete the steps up to retrieving your App Federation Metadata URL.
- During Step 2 ("Set up Single Sign-On using SAML"), input the Entity ID and Reply URL (ACS URL) provided to you by Cleverbridge.
- Enforce SAML Signing.
- Activate Token Encryption.
Okta
- Follow the Okta SAML + Cognito setup guide, completing the steps up to the IdP metadata section.
- When configuring your Okta SAML integration, input the Entity ID and Reply URL (ACS URL) defined above.
- Enforce Signing in Okta.
- Enable Token Encryption in Okta.
3. Finalize SSO set-up
After completing the configuration in your Identity Provider (IDP), generate a Federation Metadata URL. This URL typically contains essential settings such as your certificate, Entity ID, and ACS (Assertion Consumer Service) endpoint.
The Metadata URL is usually created once your IT team has entered the Cleverbridge-provided Entity ID and ACS URL into your IDP. While this is a standard step for most technical teams, our Client Experience team is available to support you with any questions or to walk you through the process if needed.
Once we receive your metadata URL, Cleverbridge will:
- Generate two certificates for your IDP to enable signing and token encryption.
- Activate SSO login for your designated test user.
- Assist in rolling out SSO access to additional users upon successful testing.
4. Add users to SSO
Once SSO is enabled, Cleverbridge users can be linked to your SSO configuration by populating the SSO Email Address field in the user profile within SCM.
- Go to
web admin > Settings > Users. - Select the user by clicking their ID.
As soon as this field is populated, the system recognizes the user as part of the SSO user pool and authenticates them accordingly during login.
For large teams, we can support batch user provisioning. Please address our Client Experience team or contact your Technical Account Manager for options.