SAML SSO Integration

Overview

Enterprise tenants can use SAML 2.0 Single Sign-On to let users authenticate through a corporate identity provider. SSO centralizes access policy, MFA, joiner/mover/leaver processes, and group-based authorization for AppTego Portal users.

Supported identity providers include Okta, Microsoft Entra ID, OneLogin, and other SAML 2.0 compliant providers.

Setting Up SAML SSO

Prerequisites

• Enterprise plan subscription.
• Access to your identity provider's admin console.
• modify_tenant_settings permission in AppTego.
• A tested breakglass access plan before enforcing SSO.

Configuration Steps

1. Navigate to SAML SSO

• Go to User Management -> SAML SSO in the portal.

1. Copy AppTego service provider details

• Use the values shown in the portal to configure your identity provider.
• The portal shows the SAML Login URL, SP Entity ID, ACS URL, and SLS URL.

1. Configure your identity provider

• Create a new SAML application in your IdP.
• Set the ACS URL and Entity ID from the AppTego metadata.
• Configure attribute mappings for email, name, and groups.

1. Add IdP details to AppTego

• Paste or upload IdP metadata XML, then select Parse Metadata.
• Metadata upload supports files up to 256 KB.
• Alternatively, enter the IdP Entity ID, IdP SSO URL, and IdP X.509 Certificate manually.

1. Configure group mappings

• Enable group authorization if you want SAML groups to grant AppTego permissions.
• The default group attribute name is groups.
• Map exact IdP group names to AppTego permissions in User Management -> SAML Groups.
• Users assigned to mapped groups receive the corresponding AppTego permissions.

1. Enable SSO enforcement after testing

• Enforce SSO only after test login and breakglass access have been validated.
• Select a breakglass account before enforcing SSO-only access.
• When enabled, tenant users must authenticate through SAML except for breakglass access.

Testing

1. Save the SAML configuration while SSO-only enforcement is still off.
2. Start a SAML login flow for the tenant.
3. Verify you are redirected to your IdP and can authenticate.
4. Verify you return to AppTego with the correct user identity.
5. Confirm group mappings grant only the intended AppTego permissions.
6. Confirm a breakglass admin can still access the tenant before enforcing SSO-only access.

Login Flow

1. User opens the AppTego login page.
2. User enters their email or selects SSO login.
3. AppTego determines whether the tenant uses SAML.
4. User is redirected to the IdP for authentication.
5. The IdP authenticates the user and returns a SAML assertion.
6. AppTego validates the assertion and creates or updates the user session.
7. User enters the portal with permissions derived from AppTego role settings and group mappings.

Group-Based Authorization

Map IdP groups to AppTego permissions:

Configure group mappings in User Management -> SAML Groups. Group names are matched exactly to the values sent by your IdP in the configured group attribute.

MFA Behavior

• Users authenticated via SAML follow MFA policy managed by the IdP.
• Users with password-based login in SAML-enabled tenants still use AppTego MFA.
• SSO enforcement removes password login for normal users, except breakglass access.

Breakglass Account

When SSO enforcement is enabled, maintain a breakglass admin path for emergency access. This account bypasses SAML authentication and uses standard AppTego login.

Use breakglass access only when the IdP is unavailable or SSO configuration must be repaired. Protect it with strong credentials, MFA, and limited access to trusted administrators.

The breakglass dropdown only includes tenant users with user_and_api_management. While a user is selected as the breakglass account, the portal prevents removing that permission from the user.

Related API Endpoints