Single Sign-On

FlashDuty currently supports Single Sign-On (SSO) integration through SAML2.0, OIDC, CAS, and LDAP (private deployment only) protocols, enabling seamless integration with various applications and platforms. These features help you quickly implement identity information sharing with other platforms. Users only need to log in once to access multiple related applications and services without authenticating separately for each application, improving work efficiency, user experience, simplifying the login process, and enhancing security.

Configure SAML Protocol

Configuration path: Access Control => Single Sign-On => Enable => Settings => Select SAML2.0 Protocol

Field	Description
Protocol Type	Select SAML2.0
Metadata Document	XML document obtained from the identity provider
Field Mapping	FlashDuty extracts user email, username, and phone information from the identity provider through mapped fields
Login Domain	Essential identifier for authentication, globally unique
Create Account on Login	Enabled by default, if disabled, members need to be invited before they can log in
Flashcat Service Provider Information	Service Provider Metadata: Assertion Consumer Service URL: Assertion endpoint for single Sign-On with identity provider

Configure OIDC Protocol

Configuration path: Access Control => Single Sign-On => Enable => Settings => Select OIDC Protocol

Field	Description
Protocol Type	Select OIDC Protocol
Issuer	Obtain Issuer from identity provider, case-sensitive URL without query parameters
Client ID	Client ID obtained from identity provider
Client Secret	Client secret obtained from identity provider
Field Mapping	FlashDuty extracts user email, username, and phone information from the identity provider through mapped fields
Login Domain	Essential identifier for authentication, globally unique
Create Account on Login	Enabled by default, if disabled, members need to be invited before they can log in
Flashcat Service Provider Information	Redirect URL: Callback address for identity provider to Flashduty Supported Signing Algorithms: RS256,RS384,RS512,ES256,ES384,ES512,PS256,PS384,PS512 (HS256 not supported) Request scope: openid, email, phone

Configure CAS Protocol

Configuration path: Access Control => Single Sign-On => Enable => Settings => Select CAS Protocol

Field	Description
Protocol Type	Select CAS Protocol
CAS Address	CAS service address from identity provider
CAS Login Path	CAS login path
Field Mapping	FlashDuty extracts user email, username, and phone information from the identity provider through mapped fields
Login Domain	Essential identifier for authentication, globally unique
Create Account on Login	Enabled by default, if disabled, members need to be invited before they can log in
Flashcat Service Provider Information	Redirect URL: Callback address for identity provider to Flashduty

Configure LDAP Protocol

提示

LDAP single Sign-On is only supported in private deployment version

Configuration path: Access Control => Single Sign-On => Enable => Settings => Select LDAP Protocol

Field	Description
Protocol Type	Select LDAP Protocol
LDAP URL	LDAP service address, e.g., ldap://10.10.10.10:389
BIND DN	Username for LDAP connection, used for testing connection and searching users or groups. E.g., cn=admin,dc=flashduty,dc=com
BIND DN Password	Password for LDAP connection, will be encrypted in database
TLS	Skip Verify for TLS login
StartTLS	Whether to enable StartTLS
User DN	Defines the directory to start user search, e.g., ou=people,dc=flashduty,dc=com
Authentication Filter	Combined with Bind DN and password for user lookup, used to retrieve user DN information for LDAP authentication. Supports custom filter expressions, basic format: (&(mail=%s)). Note: Starting and ending parentheses are required
Field Mapping	FlashDuty extracts user email, username, and phone information from the identity provider through mapped fields. Email is a required mapping field
Login Domain	Essential identifier for authentication, globally unique
Create Account on Login	Enabled by default, if disabled, members need to be invited before they can log in

提示

Field mapping must be consistent with identity provider configuration to avoid errors. Fill in values according to descriptions. Refer to OpenLDAP Integration Guide for configuration. Contact FlashDuty customer service if you have questions.

Best Practices

Configure FlashDuty SSO through Authing Configuration.
Configure FlashDuty SSO through Keycloak Configuration.
Configure FlashDuty SSO through Ldap Configuration.

FAQ

What is SSO?

Single Sign-On (SSO) is an enterprise system integration solution that unifies user authentication, allowing users to access all trusted enterprise applications with a single login.

What are SAML2.0 protocol features?

SAML 2.0 protocol is XML-based, implementing cross-domain single Sign-On and authentication through secure, standardized assertions, supporting multiple data exchange bindings for interoperability and flexibility.

What are OIDC protocol features?

OIDC protocol, based on OAuth 2.0, provides standardized, secure authentication flows using JSON Web Tokens for user information transfer, enabling cross-platform single Sign-On and identity management.

What are CAS protocol features?

CAS protocol is a web application single Sign-On protocol that enables users to authenticate once across multiple services using Service Tickets and Authentication Tickets for service authentication.

What are LDAP protocol features?

LDAP protocol, derived from X.500 standard, organizes data in a tree structure for hierarchical management and quick retrieval, providing flexible query language (LDAP Search Filter) for complex data filtering and searching.

Can multiple protocols be used simultaneously?

Currently not supported, only one protocol can be selected

Single Sign-On

Configure SAML Protocol#

Configure OIDC Protocol#

Configure CAS Protocol#

Configure LDAP Protocol#

Best Practices#

FAQ#

Configure SAML Protocol

Configure OIDC Protocol

Configure CAS Protocol

Configure LDAP Protocol

Best Practices

FAQ