Single Sign-On (SSO)

This topic explains how to set up and configure single sign-on in Rescale for your enterprise.

Single sign-on overview

Single sign-on (SSO) is a method for authenticating users where a single set of credentials can be used to log into several different applications. This is especially useful in a corporate setting when you want your employees to be able to access a variety of applications using their company credentials.

Rescale Support of SSO

SSO authentication is available in all Organizations.

How to configure SSO Identity Provider

Disclaimer: Please be advised that it is the customer’s responsibility to configure the IdP, here are some guidelines to follow for common IDPs like Microsoft Entra and Okta, for reference. 

Setting Up Single Sign-On

Getting Started with Single Sign-On 

You must be an Organization Administrator in order to set up single sign-on for your organization. 

Note: SSO with Rescale applies at the organization level. All Workspaces will be able to authenticate with SSO once configured.

To configure single sign-on:

  1. From your Organization Administration, navigate to Security, and then click on the Single Sign-On tab
  2. Click the Configure Single Sign-On button to begin setup.
     

If you have configured SSO previously, click the gear icon to return to this form

  1. It is strongly recommended that you use the Metadata exchange configuration to proceed, although you may select Manual configuration, in which case proceed to the Advanced Settings section

Metadata Exchange

  1. Import the Rescale metadata into your identity provider (IdP) using the link provided.

If your IdP is self-hosted, your IT department will be able to assist you; if you are using a hosted service their configuration likely contains an input for this URL.

If you are required by the IdP configuration to enter fields manually, you can click Show Details here to view those data. If a field is required that you don’t see listed, contact Rescale support.

Please select the relevant URLs below based on the region you are in. If you are not sure, please check with your Rescale Solutions Architect or Customer Success Executive.

RegionFieldValue


US 
Entity IDhttps://platform.rescale.com/sso/metadata/
Assertion Consumer Servicehttps://platform.rescale.com/sso/login/callback/
Sign-On URLhttps://platform.rescale.com/login/
Single Logout Servicehttps://platform.rescale.com/sso/logout/
EuropeEntity IDhttps://eu.rescale.com/sso/metadata/
Assertion Consumer Servicehttps://eu..rescale.com/sso/login/callback/
Sign-On URLhttps://eu..rescale.com/login/
Single Logout Servicehttps://eu.rescale.com/sso/logout/
KoreaEntity IDhttps://kr.rescale.com/sso/metadata/
Assertion Consumer Servicehttps://kr.rescale.com/sso/login/callback/
Sign-On URLhttps://kr.rescale.com/login/
Single Logout Servicehttps://kr.rescale.com/sso/logout/
JapanEntity IDhttps://platform.rescale.jp/sso/metadata/
Assertion Consumer Servicehttps://platform.rescale.jp/sso/login/callback/
Sign-On URLhttps://platform.rescale.jp/login/
Single Logout Servicehttps://platform.rescale.jp/sso/logout/
ITAREntity IDhttps://itar.rescale.com/sso/metadata/
Assertion Consumer Servicehttps://itar.rescale.com/sso/login/callback/
Sign-On URLhttps://itar.rescale.com/login/
Single Logout Servicehttps://itar.rescale.com/sso/logout/
FedRAMPEntity IDhttps://itar.rescale-gov.com/sso/metadata/
Assertion Consumer Servicehttps://itar.rescale-gov.com/sso/login/callback/
Sign-On URLhttps://itar.rescale-gov.com/login/
Single Logout Servicehttps://itar.rescale-gov.com/sso/logout/
  1. Paste the URL to your IdP’s metadata in the Identity Provider’s Metadata input

The location of this XML depends on your IdP’s software configuration.

  1. Click Verify Settings to proceed.

If the URL you provided could not be loaded you may need to go back and correct it. If any of the fields are blank you must complete them, but the known fields are read-only and just for reference.

  1. Click Attributes to proceed to the next step. Attributes are data about the user released by your IdP that allows us to set up their profile on Rescale.
  2. (Recommended) Perform a test login in another tab by using the link provided. This will both confirm that the basic communication settings between your IdP and Rescale are correct and show you which attributes were released to Rescale so that you can complete the rest of this step.

If the test login is successful, you will see a table of the attributes(shown in the above screenshot) you can select from both in the tab you used to do the test login and in the form. If you don’t see an attribute that contains at least the e-mail address, your IdP will need to be configured to release one.

  1. Select or enter an attribute name for E-Mail Address. Provide Username only if the listed conditions apply to your organization, and select a Full name attribute if one is available.
  2. Click Policies and proceed to the Access Policy section below

Advanced Settings

SIGN ON OPTIONS

By defining Sign-On options, you have the added flexibility to allow the employees of your Organization to sign in with only single sign-on (SSO) or both single sign-on (SSO) and email. 

ACCESS POLICY

There are two types of access policies:

  1. Allow anyone from your organization
  2. Only allow invited users to sign on

The Allow anyone from your organization setting allows any employee with single sign-on to join your Rescale Organization. 

The Only allow invited users to sign on setting requires two conditions to be true:

  1. Employees must first be invited to Rescale by an Admin
  2. The Employee must have SSO configured if your Sign-On Options are set to Sign on with Single Sign on only

Single Sign-On Logging

Once you’ve set up single sign-on, you can see recent sign-in successes and failures by navigating to Portal > Security, and then clicking on the Single Sign-On tab.

Once you’re there, you can view successful, failed, and incomplete logins.

Status Icons:

  • A green checkmark indicates that the login was successful
  • A red cross indicates that the login failed (expand for additional information)
  • A yellow line indicates that the logic was incomplete. In this case, someone initiated a login via SSO, redirected to the IdP, but then never redirected back to Rescale. This is not necessarily an issue, the user could have closed the tab after the IdP redirect.

In order to view detailed information on the success, failure, or incomplete login, simply click on the user to open a chronological log.

FAQ

Can I use SSO in my region? 
If you are located in an international region and are using one of Rescale’s international platforms, make sure to use the correct platform domain and URL. This is crucial when configuring your Azure AD SSO. Note that the Microsoft doc uses a US platform in the instructions. 

After enabling SSO, will existing Rescale users still be able to log in?
Yes, existing users will continue to have access after SSO is enabled, provided they have an identical email address on Rescale and with their SSO IdP.

Q: Can we merge accounts that are using the same email address? 

No, merging accounts is not currently possible.

If the e-mail address associated with the Rescale user account does not change, after enabling SSO, will account data continue to be available? 
The data and all attributes of the account will continue to be available after SSO is enabled for accounts where the email address has not changed. 

Does enabling SSO affect existing API tokens? 
No, existing API tokens are not impacted. They will continue to function as before

Will I be able to use tokens from Microsoft Active Directory to map groups to a Rescale Group/Project?
At this time, we do not support this functionality.

Password Policies: Does enabling SSO override existing password policies in place, or do they function together?
SSO will override existing password policies

User Onboarding: What is the onboarding process for new users to get them set up with SSO?
Companies using SSO should invite Rescale users via the invite process within the Workspace Admin. 

User Offboarding: How is access revoked when an employee leaves the organization?
Employee access can be revoked by going through Rescale User Offboarding in the “Members” section of the Workspace.

Multi-Factor Authentication (MFA): Does Rescale’s SSO support MFA and how is it configured?
Yes, in addition to SSO MFA, you can leverage Rescale MFA for additional security.

Audit Trails: Is there an option to generate audit logs specifically for SSO activities?
Yes, within the Security section of the Organization, you will be able to generate audit logs related to login attempts.

SSO for Sub-organizations: Can SSO be applied selectively to sub-organizations or departments within the main organization?
No, SSO will apply to all Workspaces within the Organization