How single sign-on works
Before enabling single sign-on (SSO), review how the StorageGRID sign-in and sign-out processes are affected when SSO is enabled.
Signing in when SSO is enabled
When SSO is enabled and you sign in to StorageGRID, you are redirected to your organization's SSO page to validate your credentials.
-
Enter the fully qualified domain name or IP address of any StorageGRID Admin Node in a web browser.
The StorageGRID Sign in page appears.
-
If this is the first time you have accessed the URL on this browser, you are prompted for an account ID:
-
If you have previously accessed either the Grid Manager or the Tenant Manager, you are prompted to select a recent account or to enter an account ID:
The StorageGRID Sign in page is not shown when you enter the complete URL for a tenant account (that is, a fully qualified domain name or IP address followed by /?accountId=20-digit-account-id
). Instead, you are immediately redirected to your organization's SSO sign-in page, where you can sign in with your SSO credentials. -
-
Indicate whether you want to access the Grid Manager or the Tenant Manager:
-
To access the Grid Manager, leave theAccount ID field blank, enter 0 as the account ID, or select Grid Manager if it appears in the list of recent accounts.
-
To access the Tenant Manager, enter the 20-digit tenant account ID or select a tenant by name if it appears in the list of recent accounts.
-
-
Click Sign in
StorageGRID redirects you to your organization's SSO sign-in page. For example:
-
Sign in with your SSO credentials.
If your SSO credentials are correct:
-
The identity provider (IdP) provides an authentication response to StorageGRID.
-
StorageGRID validates the authentication response.
-
If the response is valid and you belong to a federated group that has adequate access permission, you are signed in to the Grid Manager or the Tenant Manager, depending on which account you selected.
-
-
Optionally, access other Admin Nodes, or access the Grid Manager or the Tenant Manager, if you have adequate permissions.
You do not need to reenter your SSO credentials.
Signing out when SSO is enabled
When SSO is enabled for StorageGRID, what happens when you sign out depends on what you are signed in to and where you are signing out from.
-
Locate the Sign Out link in the top-right corner of the user interface.
-
Click Sign Out.
The StorageGRID Sign in page appears. The Recent Accounts drop-down is updated to include Grid Manager or the name of the tenant, so you can access these user interfaces more quickly in the future.
If you are signed in to… And you sign out from… You are signed out of… Grid Manager on one or more Admin Nodes
Grid Manager on any Admin Node
Grid Manager on all Admin Nodes
Tenant Manager on one or more Admin Nodes
Tenant Manager on any Admin Node
Tenant Manager on all Admin Nodes
Both Grid Manager and Tenant Manager
Grid Manager
The Grid Manager only. You must also sign out of the Tenant Manager to sign out of SSO.
Tenant Manager
The Tenant Manager only. You must also sign out of the Grid Manager to sign out of SSO.
The table summarizes what happens when you sign out if you are using a single browser session. If you are signed in to StorageGRID across multiple browser sessions, you must sign out of all browser sessions separately. |