Accessing the Platform Using SSO

Overview

CHEQ supports self-service single-sign-on (SSO) integration. SSO gives customers access to the CHEQ platform using an identity provider (IDP). We support the following authentication protocols for using IDP:

  • SAML
  • OpenID (OIDC)

Requirements

  • Before starting the SSO integration process using an identity provider, please contact your CS representative, so they can enable your SSO integration on our internal tools.
  • Create an SSO Application in your IDP console and connect it to the relevant user groups.
    • you need to set up a connection (or connector) for CHEQ with your IDP (e.g. Auth0, JumpCloud, Okta, Microsoft Azure, OneLogin, etc.).
    • In some IDP providers, you may need to fill in the Redirect URIs and Login URL fields before obtaining the Client ID and Client Secret, which are necessary for the OpenID SSO setup.
      • If this is the case, use https://cheq-temp-url.com as a temporary value in those fields.

SSO Setup Using OpenID

  1. In the platform, navigate to your account name person_outline on the top right-hand side and select account settings settings.
  2. Navigate to the SSO Configuration tab.
  3. In the connection type, select OpenID Connect.
  4. Fill out the following fields in the CHEQ platform:
    1. Discovery URL: This is your OpenID Configuration URL. Change the issuer based on your IDP. For example: https://<issuer>/.well-known/openid-configuration. See the identity provider's Support guides for more information about SSO connection with OIDC.
    2. Client ID: Replace https://cheq-temp-url.com with the client ID provided by your IDP.
    3. Client Secret: Replace https://cheq-temp-url.com with the client secret provided by your IDP.
    4. Home Realm Discovery: Enter the domain name of the relevant user groups in your IDP (e.g. icloud.com).
  5. Click Create.
  6. Copy the newly generated fields and configure them in your IDP:
    1. Callback URL: Paste the value in the Redirect URIs field.
    2. Login URL: Paste the value in the Login URL field.
  7. Add an attribute mapping in your IDP for an email attribute. For example, if you are using JumpCloud as your IDP, it will look like:
    Screenshot 2024-07-09 at 11.24.47.png
  8. Depending on your IDP, you might need to configure more fields that do not affect the OIDC setup but are required for it to function. For example, a IDP Entity ID field.
  9. Click Save.
  10. Once the connection is created, create a new user in the CHEQ platform.
    1. In the CHEQ platform, navigate to your account name person_outline on the top right-hand side and select account settings settings.
    2. Select Users.
    3. Click add_circle_outline Add User.
    4. Create a new user:
      1. Enter the email address.
      2. Select the user type.
      3. Add the SSO connection with the OIDC protocol.
    5. Click Save.
  11. The email address owner will receive an email invitation to start the login process using SSO.

Only newly created users that have the relevant SSO configuration value set up, will be able to use this SSO connection.

SSO Setup Using SAML

  1. In the platform, navigate to your account name person_outline on the top right-hand side and select account settings settings.
  2. Navigate to the SSO Configuration tab.
  3. In the connection type, select SAML.
  4. Fill out the following fields:
    1. Sign In URL: This is the SSO IDP URL. For example: https://sso.jumpcloud.com/saml2/paradome-saml. See the identity provider's Support guides for more information about SSO connection with SAML.
    2. 509 Signing Certificate: Download the certificate from your IDP and upload it.
    3. Home Realm Discovery: Enter the domain name of the relevant user groups in your IDP. For example, icloud.com.
  5. Click Create.
    Screenshot 2024-07-10 at 18.07.53.png
  6. Copy the newly generated fields and configure them in your IDP:
    1. Login URL: Paste the value in the Login URL field.
    2. ACS URL: Paste the value in the ACS URLs field.
    3. SP Entity ID: Paste the value in the SP Entity ID field.
  7. Add an attribute mapping in your IDP for an email attribute. For example, if you are using JumpCloud as your IDP, it will look like:
    Screenshot 2024-07-09 at 11.24.47.png
  8. Depending on your IDP, you might need to configure more fields that do not affect the SAML setup but are required for it to function. For example, a IDP Entity ID field.
  9. Click Save.
  10. Once the connection is created, create a new user.
    1. In the CHEQ platform, navigate to your account name person_outline on the top right-hand side and select account settings settings.
    2. Select Users.
    3. Click add_circle_outline Add User.
    4. Create a new user:
      1. Enter the email address.
      2. Select the user type.
      3. Add the SSO connection with the SAML protocol.
    5. Click Save.
  11. The email address owner will receive an email invitation to start the login process using SSO.

Only newly created users that have the relevant SSO configuration value set up, will be able to use this SSO connection.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request