INTRODUCTION
This article explains how to configure Single Sign-On (SSO) for cloud-hosted applications using Dualog Identity. Cloud integrations allow your crew to access internet-based applications using their Dualog credentials.
Dualog Identity supports two protocols for cloud integrations:
- OpenID Connect (OIDC) - Token-based OAuth 2.0 authentication
- SAML 2.0 - XML-based SSO standard
PREREQUISITES
Before setting up a cloud integration, you need:
- Administrator access to the Dualog Portal
- Access to the application you want to integrate (to configure it as a service provider)
- The application must support either OIDC or SAML 2.0
ACCESSING THE INTEGRATIONS PAGE
- Log in to
https://apps.dualog.com - Navigate to
https://apps.dualog.com/integrations
You will see a list of your existing integrations.
CREATING A NEW CLOUD INTEGRATION
- Click New Integration
- When asked "Where is the application running?", select:
"In the cloud" - Choose your integration type:
- OIDC - OpenId Connect: Token-based OAuth 2.0 authentication for SSO through API endpoints
- SAML 2.0: XML-based open standard for SSO. Use if the application only supports SAML
CONFIGURING AN OIDC INTEGRATION
After selecting OIDC, configure the following:
Basic Information
- Service Provider Name: A friendly name for this integration (e.g., "Training Portal", "E-Logbook")
- Logo: (Optional) Upload a logo for the application
Grant Type
Choose the OAuth grant type:
- Authorization Code: Recommended for web applications. More secure as tokens are exchanged server-side.
- Password: For legacy applications that require direct username/password authentication.
Redirect URIs
- Sign-in Redirect URI: The URL where users are sent after successful authentication. Get this from your application's SSO configuration.
- Sign-out Redirect URI: (Optional) The URL where users are sent after signing out.
Access Control
Choose who can access this application:
- Allow everyone in your organisation to access: All users in your organization can use this integration
- Limit access to selected ranks and groups: Only users with specific ranks can access
If you select limited access, select the ranks that should have access.
Saving the Integration
Click Save to create the integration. You will receive:
- Client ID: The unique identifier for this integration
- Client Secret: The secret key for authentication
Important: Copy the Client Secret immediately. For security reasons, it may not be displayed again.
CONFIGURING A SAML INTEGRATION
After selecting SAML 2.0, configure the following:
Basic Information
- Service Provider Name: A friendly name for this integration
- Logo: (Optional) Upload a logo for the application
SAML Configuration
- Single Sign-On URL: The URL where SAML assertions should be sent. Get this from your application (sometimes called ACS URL or Consumer URL).
- Audience URI (SP Entity ID): The unique identifier for the service provider. Get this from your application.
Name ID Format
Select the format for the user identifier sent to the application:
- Unspecified: Default format
- EmailAddress: Send the user's email address
- X509SubjectName: X.509 subject name format
- Persistent: Persistent identifier across sessions
- Transient: Temporary identifier for this session only
Choose the format required by your application.
Access Control
Same as OIDC - choose between allowing everyone or limiting to specific ranks.
Saving the Integration
Click Save to create the integration.
DUALOG IDENTITY PROVIDER INFORMATION
When configuring your application to use Dualog Identity, you'll need these details:
OIDC Endpoints
| Endpoint | URL |
|---|---|
| Issuer | https://crew.dualog.com/auth |
| Authorization | https://crew.dualog.com/auth/connect/authorize |
| Token | https://crew.dualog.com/auth/connect/token |
| User Info | https://crew.dualog.com/auth/connect/userinfo |
| JWKS | https://crew.dualog.com/auth/.well-known/openid-configuration/jwks |
| End Session | https://crew.dualog.com/auth/connect/endsession |
| Discovery Document | https://crew.dualog.com/auth/.well-known/openid-configuration |
SAML Endpoints
| Endpoint | URL |
|---|---|
| Entity ID | https://crew.dualog.com/auth |
| SSO URL (HTTP-Redirect) | https://crew.dualog.com/auth/saml/sso |
| SSO URL (HTTP-POST) | https://crew.dualog.com/auth/saml/sso |
| SLO URL (HTTP-Redirect) | https://crew.dualog.com/auth/saml/slo |
| SLO URL (HTTP-POST) | https://crew.dualog.com/auth/saml/slo |
| Metadata URL | https://crew.dualog.com/auth/saml/metadata |
CLAIMS AND ATTRIBUTES
Dualog Identity sends the following information about users to integrated applications:
Standard Claims (OIDC) / Attributes (SAML)
- User identifier (subject)
- Name (given name, family name, display name)
- Email address
MANAGING EXISTING INTEGRATIONS
Viewing Integration Details
- Go to
https://apps.dualog.com/integrations - Click on an integration to view its details
Editing an Integration
- Click on the integration
- Modify the desired settings
- Click Save
Regenerating Client Credentials
If you need to rotate your Client Secret for security reasons:
- Open the integration
- Use the regenerate option to create new credentials
- Update your application with the new Client Secret
Deleting an Integration
- Go to
https://apps.dualog.com/integrations - Click on the integration to open it
- Click Delete
- Confirm the deletion
Warning: Deleting an integration will immediately prevent users from authenticating to that application.
TROUBLESHOOTING
Common Issues
Users cannot access the application:
- Verify the user's rank is included in the access control settings
- Check that the user's account is active
- Confirm the Redirect URI is configured correctly
Authentication fails:
- Verify the Client ID and Client Secret are entered correctly in the application
- Check that the application is using the correct endpoints
- Ensure the grant type matches what the application expects
SAML assertion errors:
- Verify the Audience URI matches exactly what the application expects
- Check the Name ID format is compatible with the application
- Confirm the SSO URL is correct
Comments
Please sign in to leave a comment.