Single sign-on (SSO) to the Cequence Unified API Protection (UAP) platform can be initiated by the identity provider (IdP).
This configuration requires a user to authenticate at the identity provider, then click a link that routes the user through a series of redirects to the Cequence UAP platform UI. The active authentication session from the IdP authenticates into the Cequence UAP platform requiring no further interaction from the user.
Cequence supports IdP-initiated SSO through the Third Party Initiated Login section of the OIDC specification.
Configuring IdP-initiated SSO
- In the Cequence UAP platform UI, configure an SSO provider linked to a SAML application in the IdP.
- Disable the Force Authentication toggle for the provider
- Configure the user dashboard of the IdP to hide the SAML application.
- Configure a separate OIDC application in the IdP.
- Set the Sign In and Initiate Login URI values according to the following format.
https://UI ingress hostname/apisec/api/sso?hint=SSO provider alias
Replace UI ingress hostname with the hostname of the machine that serves your Cequence UAP platform UI. Replace SSO provider alias with the alias for the SAML application you linked to an SSO provider earlier in this procedure. - Verify that the OIDC application is visible in the IdP user dashboard.
- Log in at the IdP.
- From the IdP dashboard, click the OIDC application link.
The IdP redirects the session to the /apisec/api/sso endpoint for automatic authentication.