SSO Integration

This guide covers the process of configuring Single Sign-On (SSO) integration for your ThinkCode enterprise deployment, including supported identity providers, configuration steps, and advanced settings.

SSO Overview

ThinkCode's enterprise deployment supports industry-standard SSO protocols to integrate with your organization's identity management system:

• SAML 2.0
• OpenID Connect (OIDC)
• OAuth 2.0
• SCIM for user provisioning

Supported Identity Providers

ThinkCode supports integration with major identity providers:

SSO Configuration

Accessing SSO Settings

To configure SSO for your organization:

1. Navigate to Security & Authentication in the Organization Dashboard
2. Select SSO Configuration
3. Choose your identity provider or protocol

SAML Configuration

To configure SAML-based SSO:

1. Navigate to Security & Authentication > SSO Configuration > SAML

2. Configure SAML settings:

   • Entity ID
   • ACS URL
   • Single Logout URL
   • Certificate settings
   • Attribute mapping

3. Download ThinkCode's SAML metadata for your IdP configuration

Example SAML configuration:

{/* Example SAML metadata for ThinkCode */}
<EntityDescriptor entityID="https://thinkcode.me/saml/metadata">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
    <AssertionConsumerService 
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
      Location="https://thinkcode.me/api/auth/callback/saml" 
      index="0" />
  </SPSSODescriptor>
</EntityDescriptor>

OpenID Connect Configuration

To configure OIDC-based SSO:

1. Navigate to Security & Authentication > SSO Configuration > OIDC
2. Configure OIDC settings:
   • Client ID
   • Client Secret
   • Discovery URL or Issuer URL
   • Redirect URI
   • Scope configuration
   • Claims mapping

Example OIDC configuration:

// Example OIDC configuration
{
  "clientId": "your-client-id",
  "clientSecret": "your-client-secret",
  "issuer": "https://your-identity-provider.com",
  "authorizationUrl": "https://your-identity-provider.com/oauth2/authorize",
  "tokenUrl": "https://your-identity-provider.com/oauth2/token",
  "userInfoUrl": "https://your-identity-provider.com/oauth2/userinfo",
  "scope": "openid profile email",
  "claimsMapping": {
    "id": "sub",
    "email": "email",
    "name": "name",
    "firstName": "given_name",
    "lastName": "family_name",
    "groups": "groups"
  },
  "redirectUri": "https://your-thinkcode-domain.com/api/auth/callback/oidc"
}

Provider-Specific Configuration

Okta Integration

Configure ThinkCode with Okta:

1. In Okta Admin Console:

   • Add a new application
   • Choose SAML 2.0 or OIDC
   • Configure with ThinkCode's metadata or redirect URIs
   • Set up attribute statements or claims
   • Assign users and groups

2. In ThinkCode:

   • Navigate to Security & Authentication > SSO Configuration > Okta
   • Enter Okta domain
   • Upload Okta metadata XML or configure OIDC settings
   • Map attributes to ThinkCode user properties
   • Configure group mapping

Azure AD Integration

Configure ThinkCode with Azure AD:

1. In Azure Portal:

   • Register a new application
   • Configure SAML or OIDC settings
   • Set up reply URLs
   • Configure claims
   • Assign users and groups

2. In ThinkCode:

   • Navigate to Security & Authentication > SSO Configuration > Azure AD
   • Enter Tenant ID
   • Configure application ID and secret
   • Upload certificate or configure OIDC settings
   • Map claims to ThinkCode user properties
   • Configure group mapping

Google Workspace Integration

Configure ThinkCode with Google Workspace:

1. In Google Admin Console:

   • Add a new SAML application or OAuth client
   • Configure with ThinkCode's metadata or redirect URIs
   • Set up attribute mapping
   • Assign users and groups

2. In ThinkCode:

   • Navigate to Security & Authentication > SSO Configuration > Google Workspace
   • Enter Google Workspace domain
   • Configure OAuth client ID and secret or SAML settings
   • Map attributes to ThinkCode user properties
   • Configure group mapping

Advanced SSO Configuration

User Attribute Mapping

Configure how identity provider attributes map to ThinkCode user properties:

1. Navigate to Security & Authentication > SSO Configuration > Attribute Mapping
2. Configure attribute mapping:
   • User identifier (email, username, etc.)
   • Name attributes
   • Role attributes
   • Group membership
   • Custom attributes

Example attribute mapping:

// Example attribute mapping configuration
{
  "userIdentifier": {
    "source": "email",
    "required": true
  },
  "profile": {
    "firstName": {
      "source": "given_name",
      "required": true
    },
    "lastName": {
      "source": "family_name",
      "required": true
    },
    "displayName": {
      "source": "name",
      "required": false
    },
    "avatarUrl": {
      "source": "picture",
      "required": false
    }
  },
  "roles": {
    "source": "roles",
    "defaultRole": "user",
    "mapping": {
      "admin": "administrator",
      "dev": "developer",
      "manager": "team_manager"
    }
  },
  "customAttributes": [
    {
      "source": "department",
      "target": "department",
      "required": false
    },
    {
      "source": "jobTitle",
      "target": "title",
      "required": false
    }
  ]
}

Group Synchronization

Configure group synchronization between your identity provider and ThinkCode:

1. Navigate to Security & Authentication > SSO Configuration > Group Sync
2. Configure group mapping:
   • Map IdP groups to ThinkCode teams
   • Configure group attribute format
   • Set up group membership rules
   • Configure sync frequency

Example group mapping:

// Example group mapping configuration
{
  "groupAttribute": "groups",
  "groupFormat": "name",
  "caseSensitive": false,
  "mappings": [
    {
      "sourceGroup": "engineering",
      "targetTeam": "Engineering",
      "roleInTeam": "member"
    },
    {
      "sourceGroup": "engineering-leads",
      "targetTeam": "Engineering",
      "roleInTeam": "lead"
    },
    {
      "sourceGroup": "product-team",
      "targetTeam": "Product",
      "roleInTeam": "member"
    }
  ],
  "defaultTeam": "General",
  "syncSchedule": "hourly"
}

Just-in-Time Provisioning

Configure just-in-time user provisioning:

1. Navigate to Security & Authentication > SSO Configuration > JIT Provisioning
2. Configure JIT settings:
   • Enable/disable JIT provisioning
   • Default user settings
   • Required attributes
   • Auto-assignment rules

Example JIT configuration:

// Example JIT provisioning configuration
{
  "enabled": true,
  "requiredAttributes": ["email", "name"],
  "defaultSettings": {
    "role": "user",
    "aiCapabilities": "standard",
    "licenseType": "standard"
  },
  "autoAssignment": {
    "enabled": true,
    "rules": [
      {
        "attribute": "department",
        "value": "Engineering",
        "team": "Engineering",
        "role": "developer"
      },
      {
        "attribute": "department",
        "value": "Design",
        "team": "Design",
        "role": "designer"
      }
    ]
  },
  "notifyAdmins": true
}

SCIM Provisioning

Configure SCIM for automated user provisioning:

1. Navigate to Security & Authentication > SSO Configuration > SCIM

2. Configure SCIM settings:

   • SCIM endpoint URL
   • Authentication token
   • Attribute mapping
   • Group mapping

3. Configure your identity provider with ThinkCode's SCIM details

Example SCIM configuration:

// Example SCIM configuration
{
  "enabled": true,
  "endpointUrl": "https://your-thinkcode-domain.com/api/scim/v2",
  "authenticationMethod": "bearer",
  "attributeMapping": {
    "userName": "email",
    "name.givenName": "firstName",
    "name.familyName": "lastName",
    "displayName": "displayName",
    "emails[type eq \"work\"].value": "email",
    "groups": "teams"
  },
  "operations": {
    "createUser": true,
    "updateUser": true,
    "deleteUser": true,
    "groupOperations": true
  }
}

Multi-Factor Authentication

MFA Configuration

Configure multi-factor authentication:

1. Navigate to Security & Authentication > MFA
2. Configure MFA settings:
   • MFA enforcement policy
   • Supported MFA methods
   • Challenge frequency
   • Trusted devices policy

Example MFA configuration:

// Example MFA configuration
{
  "enforcementPolicy": "required",
  "exemptGroups": ["service-accounts"],
  "methods": {
    "totp": true,
    "sms": true,
    "email": true,
    "webauthn": true
  },
  "challengeFrequency": {
    "newDevice": true,
    "newLocation": true,
    "periodically": "30days"
  },
  "trustedDevices": {
    "enabled": true,
    "maxDevices": 5,
    "expirationDays": 90
  },
  "rememberDevice": {
    "enabled": true,
    "duration": "30days"
  }
}

IdP-Managed MFA

Configure MFA through your identity provider:

1. Navigate to Security & Authentication > SSO Configuration > Advanced
2. Configure IdP MFA settings:
   • Trust IdP MFA assertion
   • MFA context verification
   • Fallback policy

Session Management

Session Configuration

Configure session management:

1. Navigate to Security & Authentication > Session Management
2. Configure session settings:
   • Session duration
   • Idle timeout
   • Concurrent session policy
   • Session revocation policy

Example session configuration:

// Example session configuration
{
  "sessionDuration": "8hours",
  "idleTimeout": "30minutes",
  "extendSessionOnActivity": true,
  "concurrentSessions": {
    "limit": 5,
    "notifyOnNewLogin": true,
    "enforceLimit": true
  },
  "revocationPolicy": {
    "onPasswordChange": true,
    "onRoleChange": true,
    "onSuspicion": true
  }
}

Single Logout

Configure single logout:

1. Navigate to Security & Authentication > SSO Configuration > Single Logout
2. Configure SLO settings:
   • Enable/disable SLO
   • SLO endpoint URL
   • SLO response URL
   • SLO binding

Security Policies

Authentication Policies

Configure authentication policies:

1. Navigate to Security & Authentication > Policies
2. Configure authentication policies:
   • Password policies
   • Account lockout policies
   • IP restriction policies
   • Device trust policies

Example authentication policy:

// Example authentication policy
{
  "passwordPolicy": {
    "minLength": 12,
    "requireUppercase": true,
    "requireLowercase": true,
    "requireNumbers": true,
    "requireSpecialChars": true,
    "preventPasswordReuse": 10,
    "expirationDays": 90
  },
  "accountLockout": {
    "maxAttempts": 5,
    "lockoutDuration": "30minutes",
    "resetCounterAfter": "15minutes"
  },
  "ipRestrictions": {
    "enabled": true,
    "allowedIPs": ["192.168.1.0/24", "10.0.0.0/8"],
    "allowedCountries": ["US", "CA", "UK"]
  }
}

Conditional Access

Configure conditional access policies:

1. Navigate to Security & Authentication > Conditional Access
2. Configure conditional access rules:
   • Location-based access
   • Device-based access
   • Time-based access
   • Risk-based access

Example conditional access configuration:

// Example conditional access configuration
{
  "enabled": true,
  "rules": [
    {
      "name": "Require MFA from unknown locations",
      "conditions": {
        "locations": {
          "type": "notTrusted"
        }
      },
      "controls": {
        "requireMFA": true
      }
    },
    {
      "name": "Block access outside business hours",
      "conditions": {
        "timeWindows": {
          "outside": [
            {
              "days": ["monday", "tuesday", "wednesday", "thursday", "friday"],
              "startTime": "08:00",
              "endTime": "18:00",
              "timezone": "America/New_York"
            }
          ]
        },
        "userGroups": {
          "exclude": ["emergency-access"]
        }
      },
      "controls": {
        "blockAccess": true
      }
    }
  ]
}

Troubleshooting

SSO Testing

Test your SSO configuration:

1. Navigate to Security & Authentication > SSO Configuration > Test
2. Use the testing tools:
   • Initiate test login
   • Validate attribute mapping
   • Test group synchronization
   • Verify MFA flow

Common Issues

Solutions for common SSO issues:

1. Authentication Failures:

   • Verify certificate expiration
   • Check clock synchronization
   • Validate attribute mapping
   • Review IdP logs

2. User Provisioning Issues:

   • Verify required attributes
   • Check SCIM endpoint configuration
   • Validate group mapping
   • Review provisioning logs

3. Session Management Issues:

   • Check session duration settings
   • Verify SLO configuration
   • Review browser cookie settings
   • Check for cross-domain issues

Best Practices for SSO Integration

• Test thoroughly: Validate SSO configuration in a test environment before production
• Plan for fallback: Configure alternative authentication methods for emergencies
• Monitor authentication: Set up alerts for authentication failures and suspicious activities
• Regular reviews: Periodically review SSO configuration and security policies
• Document configuration: Maintain detailed documentation of your SSO setup
• User training: Provide clear instructions for users on the SSO login process
• Coordinate changes: Align IdP changes with ThinkCode SSO configuration updates

Next Steps

After configuring SSO integration:

• Consider Private Deployment for enhanced security
• Review User Management for additional user configuration
• Configure Team Management for team-based access control

For additional assistance, contact ThinkCode Enterprise Support or schedule a consultation with our enterprise solutions team.