Single Sign-On (SSO)
Last updated
Was this helpful?
Last updated
Was this helpful?
In Supervisely multiple users can create accounts, login using passwords and collaborate together in teams.
Supervisely Enterprise Edition supports more advanced use cases, such as Single Sign-On (SSO) from one of many providers including OpenID or LDAP, or special authentication requirements.
The simplest way to configure Open ID authorization is to use the Instance Settings page.
Login as "admin" user and select "Instance Settings" under the user menu in the top right corner of your screen. Scroll down to the Authorization section and select Open ID authorization.
Click the "Add" button and provide credentials to your Open ID authorization provider.
Do not forget to click the "Save" button at the bottom to apply your changes.
Microsoft Azure Active Directory uses OpenID protocol, so it is basically the same as above, with a few extra steps.
Now, you can add a new OpenID provider as described above. Your credentials may look something like this:
OKTA uses OpenID protocol, so it is basically the same as above, with a few extra steps.
First, you need to register a new app.
Click Applications → "Create App Integration" button and then select "OIDC - OpenID Connect" and "Web Application".
Make sure that "Authorization Code" code is selected. Under Sign-in redirect URIs add a new URI <https_instance_domain>/api/account/auth/okta/callback.
You can find metadata_url by clicking on your account name in the top right corner.
Copy and save your client ID and client Secret. You can now proceed with modifications on the server-side.
Your Metadata URL should look like this: https://<subdomain from okta>.okta.com.
The simplest way to configure LDAP authorization is to use the Instance Settings page.
Login as "admin" user and select "Instance Settings" under the user menu in the top right corner of your screen. Scroll down to the Authorization section and select LDAP authorization.
Do not forget to click the "Save" button at the bottom to apply your changes.
Beside SSO providers, such as OpenID and LDAP, you can configure more settings to control settings for both internal and external authorizations. Those settings include session lifetime, password requirements and more.
To find the settings, login as "admin" user and select "Instance Settings" under the user menu in the top right corner of your screen. Scroll down to the Authorization section. Some of the noticeable options:
By default we allow to login both users created in Supervisely and outside of Supervisely in connected SSO. This could cause confusion with matching logins or violate security policies. You can enable this option and allow only external users validated via SSO.
By default, when you sign into the platform using SSO and we detect that this login has not yet been used in Supervisely platform, we automatically create a new account on the platform with that login.
You can disable this behavior using this option. This could be useful if you have lots of accounts in your SSO and you only want specific users to be allowed to login into Supervisely. In that case, you can use the "Users" page to manually provide logins that would be able to login into Supervisely via your SSO.
You may also consider switching "Disable built-in logins" and "Allow only existing users" (see ).
First you need to and .
On add new URI <https_instance_domain>/api/account/auth/microsoft/callback
Provide your credentials there. You may also consider switching "Disable built-in logins" and "Allow only existing users" (see ).
