Setting up single sign-on (SSO)

      Last updated August 26, 2020

    If your company uses an identity provider (IdP) like Okta or OneLogin to manage user authentication, you can enable Fastly's single sign-on (SSO) feature to either allow or require your organization's users to sign in to the Fastly web interface using the IdP instead of an email address and password.

    Prerequisites

    To enable SSO or require that it be applied to all of your organization’s users when they log in to the Fastly web interface, you must:

    In addition, your IdP must support:

    You should also review this feature's limitations before enabling SSO.

    Configuring your IdP's SAML configurations

    Start by selecting an IdP and configure that provider’s settings keeping in mind the prerequisites. You'll need to retrieve a metadata file containing your IdP's SAML configurations for use in the Fastly web interface:

    1. Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
    2. Click the Single sign-on link. The Single sign-on page appears.
    3. Click the appropriate button to select your organization's IdP.

      the sections of the SSO page that allow you to select your identify provider and configure your IdP

    4. Using the configuration details that appear in the Fastly web interface, create a new SAML 2.0 application in your IdP's administration console and assign the application to new and existing users. Refer to your IdP's documentation for more information.
    5. After creating the SAML 2.0 application in your IdP, download the XML metadata file with your application’s SAML configuration. The XML file includes a public certificate used to verify the signature of SAML assertions.
    6. Upload your IdP metadata file. You can do this by dragging and dropping the file into the area provided or by browsing for the file and uploading it.

      the IdP metadata box

    7. Click the Save Metadata button. Your metadata will be saved and the SSO controls will indicate SSO is ready to be enabled.

    Enabling SSO and potentially requiring it for your organization

    To enable SSO for your organization and potentially require it for everyone, follow one of these sets of instructions.

    the "SSO read" control and the "force SSO control" on the single sign-on page in the account settings, both in the office position

    If SSO is not yet enabled for your organization

    1. Follow the SAML configuration steps.
    2. Below the SSO Setup controls on the Single sign-on page, click the SSO is ready switch. A confirmation window appears.
    3. In the confirmation window, optionally click the Force SSO switch if you plan to require SSO via IdP for everyone in your organization.

    4. Click the Proceed button. SSO will be enabled for your organization. If you've required SSO, currently open sessions for users assigned the role of user, billing, or engineer will be logged out and they will need to re-authenticate using SSO via your IdP.

    If SSO is already enabled but not yet required for your organization

    1. Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
    2. Click the Single sign-on link. The Single sign-on page appears.
    3. Click the Force SSO switch to require SSO via IdP for everyone in your organization.
    4. Click the Proceed button to require SSO via IdP globally for your organization. Currently open sessions for users assigned the role of user, billing, or engineer will be logged out and they will need to re-authenticate using SSO via your IdP.

    Performing account tasks differently with SSO enabled

    If your organization has enabled SSO, you may notice different feature availability in the Fastly web interface. This section describes the differences.

    Disabling SSO

    To disable SSO for your organization, follow these instructions. Disabling SSO won't delete your SSO settings. You can re-enable SSO at any point using the same IdP configuration metadata you uploaded when you first enabled SSO.

    1. Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
    2. Click the Single Sign On link. The Single Sign On page appears.

      the "SSO is enabled" control and the "force SSO control" on the single sign-on page in the account settings

    3. Click the SSO is enabled switch to disable SSO for your organization. A confirmation message appears.
    4. In the confirmation window, click the Disable SSO button. SSO will be disabled and will not be required for your organization's users. All active SSO sessions will expire, including your own, and users will automatically be logged out of the Fastly web interface.

    Temporarily disabling SSO

    If your SSO provider experiences an outage, you may need to temporarily disable SSO for your organization. If you've been assigned the role of superuser, log in using an email address and password, then follow the instructions to disable SSO.

    Changing SSO providers

    To change SSO providers, follow these instructions.

    1. Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
    2. Click the SSO is enabled switch to disable SSO for your organization. A confirmation message appears.
    3. Click the Disable SSO button.

    4. Click Change SSO provider. A confirmation message appears.
    5. Click Confirm and Delete to confirm you want to change providers by deleting your IdP metadata file.
    6. Follow the instructions in the enabling SSO section.

    Limitations

    Fastly's SSO feature has the following limitations:

    Back to Top