SSO for Accounts
UDMG supports Single Sign-On (SSO) for Account authentication in the Web Transfer Client (WTC).
This feature enables centralized identity management, strengthens security, and provides a seamless login experience for Admins and partners. By allowing Accounts to authenticate through an external Identity Provider (IdP), UDMG integrates easily into your organization's existing identity infrastructure.
Each UDMG Domain supports a single SSO provider for Accounts. Upon SSO login, UDMG validates the IdP assertion/token, verifies authorization, issues its own session tokens, and performs Just-in-Time (JIT) provisioning of Accounts.
Before You Begin
Supported Protocols and IdPs
UDMG supports two widely adopted authentication protocols for SSO. These are open standards for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP), such as UDMG:
- SAML (Security Assertion Markup Language) 2.0
- OIDC (OpenID Connect)/OAuth 2.0
UDMG supports any IdP that conforms to the SAML or OIDC/OAuth 2.0 specifications. The table below lists a selection of commonly used IdPs that have been tested and validated. If your IdP is not listed, it is still likely to work with UDMG, as unlisted providers may simply not have undergone our complete validation process.
| Identity Provider | SAML 2.0 | OIDC / OAuth 2.0 |
|---|---|---|
| Okta | ||
| Microsoft Entra ID (Azure AD) | ||
| Google Workspace | ||
| PingFederate | ||
| Auth0 |
Before configuring SSO in UDMG (the Service Provider), ensure your IdP is fully configured and operational. Download your IdP metadata file or obtain the necessary configuration details from your issuer. See the required fields in Field Descriptions.
Provisioning and Identity Management
UDMG supports automated Just-in-Time (JIT) provisioning for Accounts authenticated via SSO. When an Account successfully signs in to the Web Transfer Client (WTC) through a configured SSO provider for the very first time, their Username is automatically created within UDMG—no manual setup is required.
On First Login
When an Account signs in with SSO for the first time, UDMG processes the identity assertion or token returned by the IdP:
- If the Username Attribute Name is present and resolves to a unique username that does not already exist with a different Login Method UDMG creates a new Account and populates the mapped Account Group associations.
- If the Username Attribute Name is missing, or if an Account with the same Username exists but has a different Login Method (e.g., Standard or LDAP), the login is denied.
On Subsequent Logins
When an SSO-provisioned Account logs in again, UDMG re-evaluates authorization and:
- Updates mapped attributes (e.g., name, email, Account Group associations) if they differ from the IdP response.
- Refreshes the Updated timestamp and Version number whenever any Account data is modified.
The Username is immutable to preserve identity consistency. The Login Method (equal to SAML or OIDC) and the association with the originating SSO Provider are also immutable.
On Account or SSO Removal/Change
If an Account is removed from the IdP, or if the SSO provider is disabled or deleted in UDMG:
- The Account remains visible in the list but will no longer be able to log in.
- If the Account authenticates again after an SSO provider has been replaced, they may be re-provisioned as a new Account depending on whether the new IdP emits a different value for the configured Username Attribute Name.
Group Attribute, Roles, and Authorization
After an Account is authenticated through SSO, UDMG determines their Account Group association based on the value returned by the IdP. This attribute contains one or more values—such as group names or role identifiers, which are compared against the Role/Group Attribute Name defined in the SSO configuration.
For each Account Group, you can configure the exact IdP value (group or claim) that grants that Account Group association.
If an Account's IdP attributes contain multiple matching values, UDMG associates all of the Account Groups.
For SAML configurations, when group attributes are returned as a single string, values are split using the configured Role/Group Delimiter (For Single String Attributes).
Account Group assignments are re-evaluated on every login. If an Account's group membership changes in the IdP, UDMG updates the Account's Account Group associations accordingly.
Login Experience
Once an SSO provider has been configured and enabled for a Domain, a button for that provider appears on the Domain's login page beneath the standard Username and Password fields.
When a user clicks the SSO button, UDMG redirects them to the configured IdP for authentication. After authentication completes, the corresponding Account session is established, and the user is redirected to their requested page or the default landing page.
If the IdP is configured for IdP-initiated login, it can send a signed authentication response directly to the Full Redirect URI — the Assertion Consumer Service (ACS) endpoint for SAML or the redirect URI for OIDC.
Session Behavior
After a successful SSO login, UDMG establishes and manages its own application session; it does not reuse IdP tokens. When an Account signs out, only the UDMG session ends. Single Logout (SLO) across the IdP or other applications is not supported.
If an SSO provider is disabled or deleted, new logins are blocked but existing sessions remain active until they expire. When a session expires, Accounts are returned to the login page; if their IdP session is still valid, they may be signed back in without re-entering credentials, otherwise the IdP prompts the user to log in.
Configuring an SSO Provider
SSO is configured at the Domain level, meaning it can only be used to authenticate Accounts within that specific Domain. If you want to use the same SSO provider across multiple Domains, it must be configured separately in each Domain.
To configure an SSO provider for Accounts, follow these steps:
- From the Sidebar, click General > Settings.
- Click Single Sign-On (SSO) - Accounts.
- Fill out the fields for the new SSO settings using the Field Descriptions table, which includes separate tabs for OIDC / OAuth 2.0 and SAML.
- Click Add.
Field Descriptions
- SAML
- OIDC / OAuth 2.0
| Name | Description | Specifications | Required |
|---|---|---|---|
| Name | The name of the SSO configuration. |
| Yes |
| Description | The description of the SSO configuration. | No | |
| Protocol | Select SAML. |
| Yes |
| Identity Provider (IdP) | The selected IdP's name and icon are displayed on the login page under the single sign-on section. If your IdP is not listed below, then it is displayed as 'Other.' Options:
| Yes | |
| UDMG Base URL | The base URL of your UDMG instance, prefixed by HTTPS. This should be the hostname where your UDMG application is accessible. | Must be a valid HTTPS URL. | Yes |
| Full Redirect URI | The complete redirect URI that is automatically generated and should be configured in your IdP as the callback URL for SAML authentication. | Must be a valid HTTPS URL. | Yes |
| IdP SSO URL | The IdP's SSO endpoint URL that Users or Accounts are redirected to for login. | Must be a valid HTTPS URL. | Yes |
| Service Provider (SP) Entity ID (Issuer) | A unique identifier for your Service Provider (entity issuer) that the IdP recognizes. | Must be a valid HTTPS URL. | Yes |
| Audience URI (Expected Value) | The URI that specifies which Service Provider the SAML assertion is intended for. Only change the field if your IdP sends a different audience value than your Security Provider Entity ID. | Must be a valid HTTPS URL. | Yes |
| Credentials Name (Client ID & Secret) | The Credential that references the CA Certificate that is used to verify the signature on the SAML response from the IdP. | Must reference an already created X.509 Certificate. | Yes |
| Username Attribute Name | The name of the attribute to use as the unique user identifier. If not specified, the default NameID element will be used. This value should be globally unique and not change over time (e.g., email, uid, userPrincipalName). | Yes | |
| Email Attribute Name | The name of the attribute that contains the User's email address. | Yes | |
| Name Attribute Name | The name of the attribute that contains the User's name. | Yes | |
| Role/Group Attribute Name | The name of the attribute from which the role will be derived. This could be an existing attribute or a custom one, such as mftRole. | Yes | |
| Role/Group Delimiter (For Single String Attributes) | If the Role/Group Attribute Name is returned as a single string, specify the delimiter (e.g., ; or ,). | Yes | |
| Role/Group Attribute to Account Group Mapping | Map IdP group/role values to Account Groups. For each row, provide an IdP Role/Group and select its matching Account Group. | info For more information on this field configuration, refer to Group Attribute, Roles, and Authorization. | No |
| Name | Description | Specifications | Required |
|---|---|---|---|
| Name | The name of the SSO configuration. |
| Yes |
| Description | The description of the SSO configuration. | No | |
| Protocol | Select OIDC / OAuth 2.0. |
| Yes |
| Identity Provider (IdP) | The selected IdP's name and icon are displayed on the login page under the single sign-on section. If your IdP is not listed below, then it is displayed as 'Other.' Options:
| Yes | |
| UDMG Base URL | The base URL of your UDMG instance, prefixed by HTTPS. This should be the hostname where your UDMG application is accessible. | Must be a valid HTTPS URL. | Yes |
| Full Redirect URI | The complete redirect URI that is automatically generated and should be configured in your IdP as the callback URL for OIDC authentication. | Must be a valid HTTPS URL. | Yes |
| Issuer URL | The base URL of the OpenID Provider that is used to discover other OIDC endpoints. | Must be a valid HTTPS URL. | Yes |
| Credentials Name (Client ID & Secret) | The Credential that contains the Client ID (unique identifier assigned to your application Service Provider by the IdP) and authentication password for OIDC/OAuth 2.0. | Must reference an already created Key Pair. | Yes |
| Authorization Endpoint | The endpoint for initiating the authentication flow. | Must be a valid HTTPS URL. | Yes |
| User Info Endpoint URL | The URL of the OIDC endpoint used to retrieve additional user or account profile information. | Yes | |
| Token Endpoint | The endpoint for exchanging the authorization code for tokens. | Must be a valid HTTPS URL. | Yes |
| Scopes | The permissions or identity data the Service Provider Client is requesting, such as "openid email profile" or 'openid'. | Must be a valid, space-separated string. | Yes |
| Username Attribute Name | The name of the attribute to use as the unique user identifier. If not specified, the default NameID element will be used. This value should be globally unique and not change over time (e.g., email, uid, userPrincipalName). | Yes | |
| Email Attribute Name | The name of the attribute that contains the User's email address. | Yes | |
| Name Attribute Name | The name of the attribute that contains the User's name. | Yes | |
| Role/Group Attribute Name | The name of the attribute from which the role will be derived. This could be an existing attribute or a custom one, such as mftRole. | Yes | |
| Role/Group Attribute to Account Group Mapping | Map IdP group/role values to Account Groups. For each row, provide an IdP Role/Group and select its matching Account Group. | info For more information on this field configuration, refer to Group Attribute, Roles, and Authorization. | No |
Managing an SSO Provider
Viewing SSO Provider Details
To view the details of an SSO provider, follow these steps:
- From the Sidebar, click General > Settings.
- Click Single Sign-On (SSO) - Accounts.
SSO Provider Metadata
SSO provider details include all parameters given in the Field Descriptions table above, plus the following read-only metadata:
| Name | Description |
|---|---|
| UUID | Universally Unique Identifier of this SSO provider. |
| Version | Version number of the latest configuration of the SSO provider. |
| Created | Date and time this SSO provider was created. |
| Updated | Date and time this SSO provider was last updated. |
Editing SSO Provider Details
To edit the details of an SSO provider, follow these steps:
- From the Sidebar, click General > Settings.
- Click Single Sign-On (SSO) - Accounts.
- Click the Edit button above the SSO provider details.
- Edit fields for the SSO settings using the Field Descriptions table, which includes separate tabs for OIDC / OAuth 2.0 and SAML.
- Click Update.
SSO-provisioned Accounts cannot be edited at all.
Enabling/Disabling SSO
Before disabling an SSO provider, ensure that at least one Admin User with Standard authentication remains available. Otherwise, you may lose administrative access to UDMG.
SSO providers can be Enabled or Disabled to control whether they can be used for Account authentication. By default, new providers are Enabled, but their status can be changed at any time.
- Enabled (default): The provider is active and available for authenticating Accounts.
- Disabled: The provider is inactive, and Accounts associated with it will be unable to log in.
To enable or disable an SSO provider, follow these steps:
- From the Sidebar, click Configuration > Domain.
- Click Single Sign-On (SSO) - Accounts.
- Click the Enable or Disable button above the SSO provider details, depending on the current status.
Disabling an SSO provider blocks new login attempts for associated Accounts. Existing Account sessions remain active until they expire or the user logs out.
Deleting an SSO Provider
Before deleting an SSO provider, ensure that at least one Admin User with Standard authentication remains available. Otherwise, you may lose administrative access to UDMG.
Deleting an SSO provider configuration is straightforward. However, you must plan what to do with any orphaned Accounts that have already been provisioned via the provider. Those options include:
| Option | When to Choose | Result |
|---|---|---|
| Delete the Accounts | No plans to migrate to a new provider, or don't want to preserve Account records. | Accounts are removed from UDMG; if they authenticate later via an active SSO provider, they will be re-provisioned. |
| Retain as orphaned | You need the records for auditing but do not want Accounts to log in. | Accounts remain visible but cannot authenticate; even with a new provider configured, their usernames remain tied to the deprecated provider. |
To delete an SSO provider, follow these steps:
- From the Sidebar, click General > Settings.
- Click Single Sign-On (SSO) - Accounts.
- Click the Delete button above the SSO provider details.
- You will be asked to confirm the deletion. Click Continue.
Deleting an SSO provider blocks new login attempts for associated Accounts. Existing Account sessions remain active until they expire or the user logs out.
Managing SSO-Provisioned Accounts
Editing SSO-Provisioned Accounts
To edit the details of an SSO-provisioned Account, follow these steps:
- From the Sidebar, click Configuration > Accounts.
- Click the Name of the Account you want to edit.
- Click the Edit button above the Account details.
- Only the Require Two-factor Authentication (TOTP) field is editable.
- Click Save.
Deleting SSO-Provisioned Accounts
To delete an SSO-provisioned Account, follow these steps:
- From the Sidebar, click Configuration > Accounts.
- Click the Name of the Account you want to delete.
- Click the Delete button above the Account details.
- You will be asked to confirm the deletion. Click Continue.
Deleting an SSO-provisioned Account removes them from the list, but they will reappear if they authenticate again. To permanently prevent access, first remove the corresponding identity from your IdP, and optionally delete them from the Accounts list.