Single Sign-On in IGEL OS 12
Single Sign-On (SSO) is an authentication method that can be used via a cloud-based identity provider (IdP) to access the local device and apps. This article describes the options used for configuring SSO in IGEL OS.
See How to Configure Single Sign-On (SSO) on IGEL OS 12 for a detailed description of the entire SSO configuration process.
Menu path: Security > Logon > Single Sign-On
Single Sign-On with identity provider
☑ SSO is used as the authentication method.
To have a fallback option if something goes wrong with SSO, e.g. a network failure, it is recommended to configure local login in addition under Security > Logon > Local User. For more information, see Local User Login in IGEL OS 12 .
☐ SSO is not used. (Default)
Identity provider
The identity provider used for the SSO configuration.
Possible options:
Microsoft Entra ID
Okta
OpenID Connect
Ping Identity | PingOne
VMware Workspace ONE Access
Identity Provider Is Set to "Microsoft Entra ID"
Microsoft Entra ID
The value you have obtained as Directory (tenant) ID in the Microsoft Entra ID Portal.
Application (client) ID
The value you have obtained as Application (client) ID in the Microsoft Entra ID Portal.
Client secret
The client secret that was created in the Microsoft Entra ID Portal.
Identity Provider Is Set to "Okta"
Okta URL
The URL of the Okta identity provider.
Client ID
The client ID that was created in Okta.
Client secret
This is a value created by the identity provider. The value can be copied from the Identity Provider Admin Console.
Identity Provider Is Set to "OpenID Connect"
This option can be used for various identity providers that support OpenID Connect.
Issuer URL
The URL at the identity provider's site where the OpenID configuration document for your application can be found. This is the part of the path that precedes /.well-known/openid-configuration
Client ID
The client ID that is registered in your identity provider.
Client secret
The client secret that has been created by your identity provider.
Identity Provider Is Set to "Ping Identity | PingOne"
PingOne issuer URL
The URL at the Ping Identity / PingOne site where the OpenID configuration document for your application can be found. This is the part of the path that precedes /.well-known/openid-configuration
Client ID
The client ID that is registered in Ping Identity / PingOne for your application.
Client secret
The client secret that has been created in Ping Identity / PingOne for your application.
Identity Provider Is Set to "VMware Workspace ONE Access"
Workspace ONE Access issuer URL
The URL at the Workspace ONE Access site where the OpenID configuration document for your client can be found. This is the part of the path that precedes /.well-known/openid-configuration
Client ID
The client ID that is registered in Workspace ONE Access for your client.
Client secret
The client secret that has been created in Workspace ONE Access for your client.
Federated Identity Across IdPs
A federation can be set up between IdPs. For example, if Okta and Microsoft Entra ID are federated, Okta offers access/authentication against Microsoft Entra ID and vice versa. In the case of federated IdPs, the login screen contains a host that differs from the primary IdP. As IGEL OS only allows the primary IdP by default (e.g. “login.microsoftonline.com“), you must explicitly allow any further hosts.
List of allowed hosts for redirection
Hostnames that will be allowed by IGEL OS
Format:
Only the hostnames (no protocol specification, like “https://”)
Several entries are separated by semicolons “;”
Example: “login.microsoftonline.com”
Scopes for OpenID Connect
You can define a list of scopes to which the client will request access. In addition to the standard scopes of OpenID Connect, custom scopes can be defined.
OpenID Connect scope
List of OpenID Connect scopes to which the client will request access
Format:
Space separated list
US ASCII only, no special characters or spaces within one scope
Example: “openid profile email custom_scope“
Automatic Desktop Login
As an alternative to the interactive desktop login, predefined user credentials can automatically be provided to the IdP on startup. The credentials are stored securely on the endpoint device.
In this version of IGEL OS, only login via username and password is supported; multi-factor authentication (MFA) is not supported.
Please be aware that after the automatic desktop login, a fully unlocked desktop session will run on your endpoint device. This feature should only be used for use cases where no interactive login is possible. It is good practice to restrict this user's access to only the relevant components and data that are necessary for the specific use case.
Automatic login is available for the following IdPs:
Okta
Microsoft Entra ID (formerly known as Microsoft Azure AD)
Ping Identity | PingOne
VMware Workspace ONE Access
Automatically perform login
☑ After startup, the endpoint device performs the login automatically using the Username for autologin and the Password for autologin.
Username for autologin
The name of a user known to the IdP used.
Password for autologin
The password of the user provided in Username for autologin.