SSO Management¶
Guance supports SSO management based on SAML and OIDC/OAuth 2.0 protocols. Enterprises can manage employee information in their local IdP (Identity Provider) without synchronizing users between Guance and the enterprise IdP. Employees can log in and access Guance through designated roles.
In SSO Management, you can:
- Configure single sign-on based on corporate domain
- Enable role mapping based on corporate domain for more granular single sign-on
User SSO¶
Employees whose email addresses conform to the domain suffix of the enterprise's unified identity authentication can log in to Guance using that email and access the system according to configured permissions.
Guance supports configuring multiple SSO identity providers (IdPs) for a single workspace (up to 10). This allows the same workspace to be compatible with different authentication systems within the enterprise (such as Azure AD, Okta, self-built LDAP, etc.).
When multiple workspaces are configured with the same identity provider, users only need to log in to any workspace via SSO. During the valid login session, they can use the "Workspace Switcher" at the top of the interface to jump to other authorized workspaces with one click, without repeated authentication.
- Go to Management > Member Management > SSO Management > User SSO.
-
Select the access type as needed.
-
Start configuration.
Manage SSO List¶
In the SSO list, you can manage through the following operations.
Role Mapping¶
-
Enable role mapping:
- SSO login users are dynamically assigned roles based on matching the
attribute fieldandattribute valuefrom the identity provider against role mapping rules. - Users who do not match any mapping rule will have all roles removed and cannot log in or access the workspace.
- SSO login users are dynamically assigned roles based on matching the
-
Disable role mapping: Single sign-on users retain their previously assigned roles and are not affected by changes in assertions from the identity provider side.
Related Operations¶
After adding an identity provider, you can edit the SSO configuration for management as needed. The following operations are supported:
- Edit: Modify information, enable or disable. This operation affects the login experience of existing SSO members and should be performed with caution.
- Delete: This operation removes the current single sign-on configuration. Related members will be unable to log in through this configuration. Perform with caution.
- Import/Export Identity Provider: Supports importing and exporting identity provider configurations for quick replication across multiple workspaces.
Note
- When exporting a file, the filename cannot be the same as an existing identity provider name in the current workspace.
- The exported file must comply with JSON format specifications.
View SSO Members¶
- Member Count: Displays the total number of all members who have logged in via SSO.
- Member List: Click on the member count to view the specific list of authorized SSO members.
Email Notification¶
Workspace Owners and Administrators will receive relevant email notifications when enabling, configuring, or deleting SSO.