SSO Management¶
TrueWatch supports Single Sign-On (SSO) based on SAML 2.0 and OIDC/OAuth 2.0 protocols. Enterprises can centrally manage employee accounts in their local Identity Provider (IdP) without synchronizing user information between TrueWatch and the IdP. Employees can log in to TrueWatch using their corporate email and access the system according to predefined permissions.
Concepts¶
| Term | Description |
|---|---|
| IdP (Identity Provider) | The enterprise's unified authentication system, such as Azure AD, Okta, OneAuth, Keycloak, DingTalk, WeCom, self-built LDAP, etc. |
| SP (Service Provider) | The TrueWatch platform, acting as the service recipient. |
| Role Mapping | Automatically assigns TrueWatch role permissions based on user attributes (e.g., department, position, user group) returned by the IdP. |
| Entity ID | In the SAML protocol, the unique identifier for TrueWatch as the SP. |
| ACS URL | Assertion Consumer Service URL, the address to which the IdP submits assertions to TrueWatch after a successful SAML login. |
Features¶
-
IdP Support: A single workspace can be configured with up to 10 identity providers, compatible with different authentication systems within the enterprise.
-
Cross-workspace Login: Users authorized by the same identity provider can choose to jump to other authorized workspaces within the valid login session without re-authentication.
-
Dynamic Permissions: Achieve fine-grained permission control based on user attributes through role mapping.
-
Automatic Account Binding: During the first SSO login, if the email matches an existing TrueWatch account, it is automatically bound, and historical data is preserved.
Quick Start¶
Configuration Entry¶
Go to Manage > Member Management > SSO Management > User SSO.
Choose Your Protocol Type¶
| Protocol | Use Cases | Configure |
|---|---|---|
| SAML 2.0 | Enterprise already has standard SAML services like Azure AD, ADFS, Okta, OneAuth, Keycloak, etc. | View SAML Configuration Guide |
| OIDC/OAuth 2.0 | Enterprise uses self-built authentication systems or modern cloud IdPs. | View OIDC Configuration Guide |
Role Mapping¶
Implement dynamic permission assignment based on user attributes.
Manage SSO Configuration¶
Options¶
After adding an identity provider, you can manage the SSO configuration through the following operations.
| Operation | Description | Risk Warning |
|---|---|---|
| Edit | Modify configuration information, enable/disable status. | May affect the login experience of existing SSO members. It is recommended to operate during non-business hours. |
| Delete | Remove this identity provider. | Related members will be unable to log in via this method. Please notify them in advance and confirm they have alternative login methods. |
| Export | Export as a JSON file. | The filename must not duplicate other IdP names in the current workspace, facilitating quick copying to other workspaces. |
| Import | Quickly create from a JSON file. | Must comply with format specifications. It is recommended to export one first as a template. |
View SSO Members¶
- Member Count: Displays the total number of all members who have logged in via SSO.
- Member List: Click the member count to view the specific list of authorized SSO members.
Notification Mechanism¶
The following operations will trigger email notifications to the workspace Owner and Administrator:
- Adding/Enabling an SSO configuration.
- Modifying key configurations (domain, role mapping rules).
- Deleting an SSO configuration.