SSO Configuration

TwinEdge Enterprise supports Single Sign-On (SSO) for seamless authentication integration with your identity provider.

Enterprise Feature

SSO is available exclusively on Enterprise plans.

Supported Identity Providers

Provider	Protocol	Status
Okta	SAML 2.0, OIDC	Supported
Azure AD	SAML 2.0, OIDC	Supported
Google Workspace	SAML 2.0, OIDC	Supported
OneLogin	SAML 2.0	Supported
Auth0	OIDC	Supported
Custom SAML	SAML 2.0	Supported
Custom OIDC	OpenID Connect	Supported

Configuration Overview

General Setup Flow

1. Create SSO application in your IdP
2. Configure TwinEdge SSO settings
3. Test SSO login
4. Enable for all users

Okta Configuration

Step 1: Create Okta Application

1. Log in to Okta Admin Console
2. Go to Applications → Applications
3. Click Create App Integration
4. Select:
   • Sign-in method: OIDC - OpenID Connect
   • Application type: Web Application
5. Configure:
   • Name: TwinEdge
   • Sign-in redirect URI: https://app.twinedgeai.com/auth/callback/okta
   • Sign-out redirect URI: https://app.twinedgeai.com/auth/logout
6. Click Save

Step 2: Note Okta Credentials

From the application settings, copy:

• Client ID
• Client Secret
• Okta domain (e.g., yourcompany.okta.com)

Step 3: Configure TwinEdge

1. Go to Settings → SSO
2. Click Configure Okta
3. Enter:

   Okta Domain: yourcompany.okta.com
   Client ID: 0oa1234567890abcdef
   Client Secret: ********

4. Click Save & Test

Step 4: User Provisioning (Optional)

Enable SCIM for automatic user provisioning:

1. In Okta, go to Provisioning
2. Enable SCIM provisioning
3. Configure:
   • SCIM connector URL: https://api.twinedgeai.com/scim/v2
   • Authentication: Bearer token
4. Enable:
   • Create Users
   • Update User Attributes
   • Deactivate Users

Azure AD Configuration

Step 1: Register Application

1. Go to Azure Portal → Azure Active Directory
2. Select App registrations → New registration
3. Configure:
   • Name: TwinEdge
   • Redirect URI: Web - https://app.twinedgeai.com/auth/callback/azure
4. Click Register

Step 2: Configure Authentication

1. Go to Authentication
2. Add redirect URI: https://app.twinedgeai.com/auth/callback/azure
3. Enable ID tokens under Implicit grant

Step 3: Create Client Secret

1. Go to Certificates & secrets
2. Click New client secret
3. Add description and expiration
4. Copy the secret value immediately

Step 4: Configure TwinEdge

1. Go to Settings → SSO
2. Click Configure Azure AD
3. Enter:

   Tenant ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
   Client ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
   Client Secret: ********

4. Click Save & Test

Step 5: Assign Users

1. In Azure Portal, go to Enterprise applications
2. Find TwinEdge
3. Go to Users and groups
4. Assign users or groups

Google Workspace Configuration

Step 1: Create OAuth Credentials

1. Go to Google Cloud Console
2. Select or create a project
3. Go to APIs & Services → Credentials
4. Click Create Credentials → OAuth client ID
5. Configure:
   • Application type: Web application
   • Name: TwinEdge
   • Authorized redirect URIs: https://app.twinedgeai.com/auth/callback/google
6. Click Create

Step 2: Configure OAuth Consent Screen

1. Go to OAuth consent screen
2. Configure:
   • User type: Internal (recommended) or External
   • App name: TwinEdge
   • User support email: Your email
   • Scopes: email, profile, openid
3. Save

Step 3: Configure TwinEdge

1. Go to Settings → SSO
2. Click Configure Google
3. Enter:

   Client ID: xxxx.apps.googleusercontent.com
   Client Secret: ********
   Hosted Domain: yourcompany.com (optional)

4. Click Save & Test

Custom SAML Configuration

TwinEdge SAML Settings

Configure your IdP with these TwinEdge SAML endpoints:

Setting	Value
ACS URL	https://app.twinedgeai.com/auth/saml/acs
Entity ID	https://app.twinedgeai.com/saml/metadata
Sign-out URL	https://app.twinedgeai.com/auth/saml/logout
NameID Format	urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Required Attributes

Your IdP must provide these attributes:

Attribute	Description	Required
email	User's email address	Yes
firstName	First name	Recommended
lastName	Last name	Recommended
groups	Group memberships	Optional

Configure in TwinEdge

1. Go to Settings → SSO → Custom SAML
2. Upload your IdP metadata XML or enter:
   • IdP SSO URL
   • IdP Entity ID
   • IdP Certificate
3. Map attributes
4. Click Save & Test

Custom OIDC Configuration

Configure OIDC Provider

1. Go to Settings → SSO → Custom OIDC
2. Enter:

   Issuer URL: https://your-idp.com
   Client ID: your-client-id
   Client Secret: ********
   Authorization Endpoint: https://your-idp.com/authorize
   Token Endpoint: https://your-idp.com/token
   UserInfo Endpoint: https://your-idp.com/userinfo

3. Configure scopes: openid email profile
4. Click Save & Test

User Management with SSO

Just-In-Time Provisioning

New users are automatically created on first login:

jit_provisioning:
  enabled: true
  default_role: viewer
  auto_assign_groups: true

Role Mapping

Map IdP groups to TwinEdge roles:

IdP Group	TwinEdge Role
twinedge-admins	Admin
twinedge-operators	Operator
twinedge-viewers	Viewer

Configure in Settings → SSO → Role Mapping

Attribute Mapping

Map IdP attributes to TwinEdge user fields:

attribute_mapping:
  email: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  first_name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
  last_name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
  groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"

Security Settings

Enforce SSO

Require all users to sign in via SSO:

1. Go to Settings → SSO → Security
2. Enable Enforce SSO
3. Optionally allow backup admin access

warning

Ensure SSO is working before enabling enforcement!

Session Management

Configure session duration:

• Session timeout: 8 hours (default)
• Idle timeout: 1 hour (default)
• Remember me: Optional, up to 30 days

Multi-Factor Authentication

SSO MFA is handled by your IdP. Ensure MFA is configured in:

• Okta: Security → Authentication
• Azure AD: Conditional Access
• Google: Security → 2-Step Verification

Troubleshooting

Common Issues

"User not assigned to application"

• Assign user in IdP
• Check group assignments

"Invalid redirect URI"

• Verify redirect URI matches exactly
• Check for trailing slashes

"Certificate expired"

• Update IdP certificate in TwinEdge
• Regenerate SAML metadata

"Attribute mapping failed"

• Check attribute names
• Verify claims are being sent

Debug Mode

Enable SSO debug logging:

1. Go to Settings → SSO → Debug
2. Enable Debug Mode
3. Reproduce the issue
4. View logs in Debug Log

SAML Trace

Use browser extensions to trace SAML:

• SAML-tracer (Firefox)
• SAML DevTools (Chrome)

Support

For SSO configuration assistance:

• Email: enterprise-support@twinedgeai.com
• Include: IdP type, error messages, debug logs

Next Steps

• RBAC & Permissions - Configure role-based access
• Audit Logging - Track SSO events
• White-Labeling - Customize login page