hasura/graphql-engine
1
0
Fork 0
mirror of https://github.com/hasura/graphql-engine.git synced 2024-12-14 17:02:49 +03:00
Code Issues Projects Releases Wiki Activity

Docs: Add SSO docs to deployment/cloud

Browse Source 
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6346
Co-authored-by: Sandeep Raj Kumar <17796073+SandeepSamba@users.noreply.github.com>
GitOrigin-RevId: ad766187e34f3a1d96df40f23b6f03ffbd6ff47b
This commit is contained in:
Sean Park-Ross 2022-12-20 12:36:14 +02:00 committed by hasura-bot
parent 6d64c67b4a
commit 32f992d08f
1 changed files with 61 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
docs/docs/deployment/hasura-cloud/sso.mdx Normal file
View File

@ -0,0 +1,61 @@
---
sidebar_position: 60
sidebar_label: 'SSO'
description: 'Enable single sign-on (SSO) for Hasura Enterprise through the SAML 2.0 protocol'
title: 'EE: Enable SSO through SAML'
keywords:
- hasura
- docs
- enterprise
- single sign on
- SSO
- SAML
sidebar_class_name: cloud-and-enterprise-icon
---
import Thumbnail from '@site/src/components/Thumbnail';
import HeadingIcon from '@site/src/components/HeadingIcon';
# SSO Through SAML
<div className='badge badge--primary heading-badge'>Available on: Cloud Enterprise</div>
## Introduction
You can enable SSO (Single Sign-On) with your identity management system through the
[SAML 2.0](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) protocol. Hasura is a
SAML 2.0 compliant service provider.
<Thumbnail src={'/img/enterprise/SSO_Login_demo.gif'} alt={'Single Sign-On Login Demo'}/>
## Configuration
### Configuring the identity provider
Create a new service provider on your SAML identity provider with the following configuration:
1. Configure the ACS URL, Entity ID, Audience and Recipient to be `https://auth.pro.hasura.io/saml/callback`.
2. Set the NameID format to `email address`.
3. You can set the default Relay State to be `https://cloud.hasura.io/`.
Once created, note the IdP metadata in XML format. Dynamic metadata through an IdP metadata URL is also supported.
### Configuring Hasura Cloud as the service provider
Provide the following details to [support](https://cloud.hasura.io/support/create-ticket) to configure SAML SSO:
- Domain Name(s): Domain tied to the email address of the users using SSO. If the emails of the users are tied to more than
one domain, provide all the domains.
- IdP Metadata: Metadata of your identity provider in XML format. If you want to configure the metadata through
a dynamic URL, you can instead provide the IdP Metadata URL.
- Provider: The name of this identity provider.
- Request Signing: Specify if you want the SAML assertion request to signed or un-signed.
## Caveats and limitations
1. Only a SP initiated flow is supported i.e. you cant have a Launch button in your IdP dashboard to launch the project
dashboard.
2. Session expiry time is currently not configurable.
3. Single logout is currently not supported.
4. Once SSO is enabled for an org, it is enforced for that org. This means, if an org is enabled for SSO, the emails
from that org cannot use any other login mechanism such as Google, GitHub, or email.
5. Currently, only SAML with HTTP POST binding is supported.