SSO - Single Sign-On
Integration SSO/SAML 2.0/OIDC pour une authentification centralisee et securisee de vos equipes.
Fonctionnalites Cles
SAML 2.0 & OIDC
Support des deux standards majeurs d'authentification federee.
8 Providers Pre-configures
Azure AD, Okta, Google, Auth0, OneLogin, PingIdentity et plus.
MFA Adaptatif
Authentification multi-facteurs basee sur le risque (localisation, device, comportement).
Auto-provisioning
Creation automatique des comptes utilisateurs depuis votre IdP.
Identity Providers Supportes
| Provider | Protocol | Configuration |
|---|---|---|
| Microsoft Entra ID (Azure AD) | SAML 2.0 / OIDC | Pre-configure |
| Okta | SAML 2.0 / OIDC | Pre-configure |
| Google Workspace | OIDC | Pre-configure |
| Auth0 | OIDC | Pre-configure |
| OneLogin | SAML 2.0 | Pre-configure |
| PingIdentity | SAML 2.0 / OIDC | Pre-configure |
| JumpCloud | SAML 2.0 | Manuel |
| Custom IdP | SAML 2.0 / OIDC | Manuel |
Configuration SAML 2.0
1. Informations Service Provider (SP)
Utilisez ces informations pour configurer Adlibo comme Service Provider dans votre IdP.
# Metadata Adlibo (SP)
Entity ID: https://www.adlibo.com/saml/metadata/{org_id}
ACS URL: https://www.adlibo.com/saml/acs/{org_id}
SLO URL: https://www.adlibo.com/saml/slo/{org_id}
# Attributs requis
email: urn:oid:0.9.2342.19200300.100.1.3
firstName: urn:oid:2.5.4.42
lastName: urn:oid:2.5.4.4
groups: memberOf (optionnel)2. Configuration via Dashboard
Configurez votre IdP depuis le dashboard Enterprise.
// POST /api/saas/enterprise/sso
{
"providerType": "AZURE_AD",
"displayName": "Corporate Azure AD",
"saml": {
"entityId": "https://sts.windows.net/{tenant_id}/",
"ssoUrl": "https://login.microsoftonline.com/{tenant_id}/saml2",
"certificate": "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
"signatureAlgorithm": "sha256",
"nameIdFormat": "email",
"attributeMapping": {
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"firstName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"lastName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"groups": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
}
},
"allowedDomains": ["company.com", "subsidiary.com"],
"autoProvision": true,
"defaultRole": "MEMBER",
"groupMapping": {
"IT-Admins": "ADMIN",
"Security-Team": "ADMIN",
"Developers": "MEMBER"
}
}Configuration OIDC
// POST /api/saas/enterprise/sso
{
"providerType": "OKTA",
"displayName": "Corporate Okta",
"oidc": {
"issuer": "https://company.okta.com",
"clientId": "0oa...",
"clientSecret": "encrypted_secret",
"authorizationUrl": "https://company.okta.com/oauth2/v1/authorize",
"tokenUrl": "https://company.okta.com/oauth2/v1/token",
"userInfoUrl": "https://company.okta.com/oauth2/v1/userinfo",
"jwksUrl": "https://company.okta.com/oauth2/v1/keys",
"scopes": ["openid", "profile", "email", "groups"],
"responseType": "code",
"claimMapping": {
"email": "email",
"name": "name",
"groups": "groups"
}
},
"allowedDomains": ["company.com"],
"autoProvision": true
}MFA Adaptatif
Le MFA adaptatif analyse plusieurs facteurs de risque pour determiner si une verification supplementaire est necessaire.
Localisation
Risque HIGHConnexion depuis un nouveau pays ou IP suspecte
Device
Risque MEDIUMNouvel appareil non reconnu ou non-gere
Temps
Risque LOWConnexion en dehors des heures habituelles
Comportement
Risque MEDIUMPatterns de navigation inhabituels
// Configuration MFA Adaptatif
{
"adaptiveMfa": {
"enabled": true,
"riskThreshold": "medium", // low, medium, high
"factors": ["location", "device", "time", "behavior"],
"actions": {
"low": "allow", // Score < 30: Pas de MFA
"medium": "mfa_required", // Score 30-70: MFA requis
"high": "block" // Score > 70: Bloquer + alerter
}
},
"mfaExemptGroups": ["Service-Accounts"]
}Integration SDK
JavaScript/TypeScript
import { AdliboClient } from '@adlibo/sdk';
const client = new AdliboClient({ apiKey: process.env.ADLIBO_API_KEY });
// Initier le login SSO
const loginUrl = await client.sso.initiateLogin({
provider: 'AZURE_AD',
returnUrl: '/dashboard',
state: sessionId
});
// Rediriger l'utilisateur
window.location.href = loginUrl;
// Callback handler (apres retour de l'IdP)
app.get('/auth/callback', async (req, res) => {
const result = await client.sso.handleCallback({
code: req.query.code,
state: req.query.state
});
if (result.success) {
// Creer session locale
req.session.user = result.user;
res.redirect('/dashboard');
} else {
res.redirect('/login?error=' + result.error);
}
});Python
from adlibo import AdliboClient
client = AdliboClient(api_key="YOUR_API_KEY")
# Initier le login SSO
login_url = client.sso.initiate_login(
provider="OKTA",
return_url="/dashboard"
)
# Callback handler
@app.route("/auth/callback")
def sso_callback():
result = client.sso.handle_callback(
code=request.args.get("code"),
state=request.args.get("state")
)
if result.success:
session["user"] = result.user
return redirect("/dashboard")
return redirect(f"/login?error={result.error}")Mapping des Groupes
Mappez automatiquement les groupes de votre IdP vers les roles Adlibo.
| Groupe IdP | Role Adlibo | Permissions |
|---|---|---|
| Security-Admins | OWNER | Full access, billing, SSO config |
| IT-Team | ADMIN | User management, API keys, configs |
| Developers | MEMBER | Dashboard, alerts, API usage |
| Auditors | READONLY | View only, export reports |
Bonnes Pratiques Securite
Restreindre les domaines
Configurez allowedDomains pour limiter l'acces aux emails de votre organisation.
Activer le MFA Adaptatif
Le MFA adaptatif offre un bon equilibre securite/UX en ne demandant le MFA que lors de connexions a risque.
Rotation des certificats
Planifiez la rotation des certificats SAML avant expiration. Adlibo vous alerte 30 jours avant.
Documentation Associee
Besoin d'aide pour la configuration SSO ?
Notre equipe peut vous accompagner dans l'integration de votre Identity Provider.