Enterprise SSO Overview
🔐 Enterprise Single Sign-On (SSO)
Enterprise SSO provides seamless authentication across your organization's identity providers, enabling secure access to RecoAgent with your existing enterprise identity infrastructure.
🎯 Supported SSO Providers
SAML 2.0 Providers
- Okta - Enterprise identity management
- Azure Active Directory - Microsoft identity platform
- Ping Identity - Enterprise identity security
- OneLogin - Identity and access management
OAuth 2.0/OIDC Providers
- Google Workspace - Google identity platform
- Auth0 - Identity as a service
- Microsoft Identity - OAuth 2.0 and OpenID Connect
- Custom OAuth - Any OAuth 2.0 compliant provider
LDAP/Active Directory
- Active Directory - Microsoft directory services
- OpenLDAP - Open source directory services
- 389 Directory Server - Red Hat directory server
- Apache Directory Server - Apache directory services
🚀 Quick Start
1. Choose Your SSO Provider
For SAML 2.0 (Recommended for Enterprise)
from recoagent.packages.security.sso import SAMLProvider
# Configure SAML provider
saml_provider = SAMLProvider(
entity_id="https://your-company.okta.com",
sso_url="https://your-company.okta.com/app/your-app/sso/saml",
x509_cert="-----BEGIN CERTIFICATE-----\n...",
attribute_mapping={
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"last_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
}
)
For OAuth 2.0/OIDC
from recoagent.packages.security.sso import OAuthProvider
# Configure OAuth provider
oauth_provider = OAuthProvider(
provider="google",
client_id="your_google_client_id",
client_secret="your_google_client_secret",
redirect_uri="https://your-domain.com/auth/callback",
scopes=["openid", "email", "profile"]
)
For LDAP/Active Directory
from recoagent.packages.security.sso import LDAPConnector
# Configure LDAP connector
ldap_connector = LDAPConnector(
server="ldap://your-ad-server.com",
base_dn="DC=company,DC=com",
bind_dn="CN=service-account,OU=Service Accounts,DC=company,DC=com",
bind_password="service_account_password",
user_search_base="OU=Users,DC=company,DC=com",
group_search_base="OU=Groups,DC=company,DC=com"
)
2. Initialize SSO Manager
from recoagent.packages.security.sso import SSOManager
# Initialize SSO manager
sso_manager = SSOManager(
providers=[saml_provider, oauth_provider, ldap_connector],
session_timeout=3600, # 1 hour
refresh_token_ttl=2592000, # 30 days
enable_mfa=True
)
3. Configure User Mapping
# Configure user attribute mapping
sso_manager.configure_user_mapping({
"email": "email",
"first_name": "given_name",
"last_name": "family_name",
"groups": "groups",
"department": "department"
})
# Configure role mapping
sso_manager.configure_role_mapping({
"admin": ["Administrators", "IT-Admins"],
"analyst": ["Data-Analysts", "Business-Users"],
"viewer": ["Viewers", "Read-Only-Users"]
})
📊 SSO Features
1. Authentication Methods
| Method | Security | Enterprise Support | MFA Support |
|---|---|---|---|
| SAML 2.0 | ✅ High | ✅ Excellent | ✅ Yes |
| OAuth 2.0 | ✅ High | ✅ Good | ✅ Yes |
| OIDC | ✅ High | ✅ Good | ✅ Yes |
| LDAP | ✅ Medium | ✅ Excellent | ✅ Yes |
2. Security Features
- Multi-Factor Authentication (MFA): Support for TOTP, SMS, push notifications
- Session Management: Configurable session timeouts and refresh tokens
- Token Security: JWT tokens with RS256 signing
- Audit Logging: Complete authentication event logging
- Rate Limiting: Protection against brute force attacks
3. Enterprise Integration
- Just-in-Time (JIT) Provisioning: Automatic user creation
- Group Synchronization: Automatic role assignment based on groups
- Attribute Mapping: Flexible user attribute mapping
- Session Federation: Cross-domain session sharing
- Conditional Access: Context-aware access policies
🛡️ Security Best Practices
1. SAML Configuration
- Use SHA-256 for signature algorithms
- Enable encryption for sensitive attributes
- Configure proper certificate validation
- Set appropriate session timeouts
2. OAuth Configuration
- Use PKCE for public clients
- Implement proper scope management
- Configure secure redirect URIs
- Enable state parameter validation
3. LDAP Configuration
- Use LDAPS (LDAP over SSL)
- Implement proper access controls
- Configure secure bind credentials
- Enable audit logging
📚 Configuration Examples
Okta SAML Configuration
# Okta SAML configuration
okta_config = {
"entity_id": "https://your-company.okta.com",
"sso_url": "https://your-company.okta.com/app/your-app/sso/saml",
"x509_cert": "-----BEGIN CERTIFICATE-----\n...",
"attribute_mapping": {
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"last_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"groups": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups"
}
}
Azure AD OAuth Configuration
# Azure AD OAuth configuration
azure_config = {
"provider": "azure",
"client_id": "your_azure_client_id",
"client_secret": "your_azure_client_secret",
"tenant_id": "your_azure_tenant_id",
"redirect_uri": "https://your-domain.com/auth/callback",
"scopes": ["openid", "email", "profile", "User.Read"]
}
Active Directory LDAP Configuration
# Active Directory LDAP configuration
ad_config = {
"server": "ldaps://your-ad-server.com:636",
"base_dn": "DC=company,DC=com",
"bind_dn": "CN=service-account,OU=Service Accounts,DC=company,DC=com",
"bind_password": "service_account_password",
"user_search_base": "OU=Users,DC=company,DC=com",
"group_search_base": "OU=Groups,DC=company,DC=com",
"user_filter": "(objectClass=person)",
"group_filter": "(objectClass=group)"
}
🎯 Next Steps
- Choose SSO Provider: Select SAML, OAuth, or LDAP based on your infrastructure
- Configure Identity Provider: Set up your identity provider with RecoAgent
- Test Authentication: Validate SSO login functionality
- Configure User Mapping: Map identity provider attributes to RecoAgent users
- Set Up Role Assignment: Configure automatic role assignment
- Enable Audit Logging: Set up comprehensive authentication logging
Secure your AI operations with enterprise-grade SSO! 🔐