- English
- 日本語
Setting up single sign-on (SSO)
Last updated 2024-10-07
If your company uses an identity provider (IdP) like Okta or OneLogin to manage user authentication, you can enable Fastly's single sign-on (SSO) feature to either allow or require your organization's users to sign in to the Fastly web interface using the IdP instead of an email address and password.
TIP
You can set up SSO for Signal Sciences accounts too. Check out our enablement guide for details.
Prerequisites
To enable SSO or require that it be applied to all of your organization’s users when they log in to the Fastly web interface, you must:
- be assigned the role of superuser for your Fastly account
- have access to your IdP’s administration console
In addition, your IdP must support:
- Security Assertion Markup Language 2.0 (SAML 2.0)
- Service Provider (SP) initiated SSO
- IdP-initiated SSO
You should also review this feature's limitations before enabling SSO.
IMPORTANT
If you build a custom SAML application using Okta as your IdP, you must enable the configuration option "Honor Force Authentication" in Okta. If you are using a pre-built application in the Okta Application Network, the setting remains static. Read more about this requirement in Okta's configuration documentation.
Enabling SSO
Start by selecting an IdP and configure that provider’s settings keeping in mind the prerequisites. You'll need to retrieve a metadata file containing your IdP's SAML configurations for use in the Fastly web interface:
- Log in to the Fastly web interface.
Go to Account > Single sign-on.
Click Add SAML Configuration.
From the Identity provider menu, select your organization's IdP.
Using the configuration details that appear in the Fastly web interface, create a new SAML 2.0 application in your IdP's administration console and assign the application to new and existing users. Refer to your IdP's documentation for more information.
After creating the SAML 2.0 application in your IdP, download the XML metadata file with your application’s SAML configuration. The XML file includes a public certificate used to verify the signature of SAML assertions.
Upload your IdP metadata file. You can do this by dragging and dropping the file into the area provided or by browsing for the file and uploading it.
Click Save and Enable SSO.
In the confirmation window, click Save and Enable SSO. Your metadata will be saved and the SSO controls will indicate that SSO is enabled.
Requiring SSO for your organization
To require SSO for everyone in your organization except superusers, follow these instructions.
- Log in to the Fastly web interface.
Go to Account > Single sign-on.
Select the Immediately enforce SSO checkbox that appears below the SAML configuration switch.
In the confirmation window, click Start enforcing SSO. Currently open non-SSO sessions for users assigned the role of user, billing, or engineer will be logged out and they will need to re-authenticate using SSO via your IdP.
NOTE
Users who have been assigned the role of superuser can always log in with their email address and password, whether or not Single sign-on is enabled.
Performing account tasks differently with SSO enabled
If your organization has enabled SSO, you may notice different feature availability in the Fastly web interface. This section describes the differences.
Changing your email address and password. Because SSO requires user email addresses in Fastly to match those in the IdP, you won't be able to change your email address while logged in using SSO. You also won't be able to modify your password or enable two-factor authentication.
Creating an API token. To create an API token while logged in to the Fastly web interface using SSO, you'll need to reauthenticate with your IdP. Follow the instructions for creating an API token and click the Re-Authenticate button on the Create a Token page.
NOTE
You can't create API tokens when using G Suite for authentication.
Managing sessions. Sessions created by logging in to the Fastly web interface using SSO or with a username and password expire after 3 hours.
Changing SSO providers
To change SSO providers, follow these instructions.
WARNING
Disabling the SSO feature for your organization will expire all active SSO sessions, including your own. Users will automatically be logged out of the Fastly web interface.
- Log in to the Fastly web interface.
- Go to Account > Single sign-on.
- From the Options menu, select Upload new SAML configuration.
- In the confirmation window, click Continue to delete your existing SAML confirmation.
- Follow the instructions in the enabling SSO section.
Disabling SSO
To disable SSO for your organization, either permanently or temporarily (e.g., your SSO provider is experiencing an outage), follow these instructions. Disabling SSO won't delete your SSO settings and you can re-enable SSO at any point using the same IdP configuration metadata you uploaded when you first enabled SSO.
WARNING
Disabling the SSO feature for your organization, even temporarily, will expire all active SSO sessions, including your own, and will automatically log users out of the Fastly web interface.
- Log in to the Fastly web interface.
Go to Account > Single sign-on.
Click the Single sign-on switch to disable SSO for your organization.
In the confirmation window, click Disable SSO. SSO will be disabled and will not be required for your organization's users. All active SSO sessions will expire, including your own, and users will automatically be logged out of the Fastly web interface.
Limitations and considerations
Fastly's SSO feature has the following limitations:
- Users cannot create API tokens from the Fastly web interface when using G Suite SSO for a session's authentication.
- Fastly does not support automatic provisioning and de-provisioning of users using SCIM for Fastly accounts. To enable SCIM for your Signal Sciences account, check out our guide to automating user management.
Also, keep in mind that the SHA-1 cryptographic algorithm has been retired by the National Institute of Standards and Technology (NIST) and they recommend upgrading to more advanced and secure replacements such as those from the SHA-2 family of hash functions, like SHA-256. Consider using or upgrading to these more advanced algorithms for SAML certificate signing for SSO setup in advance of the NIST recommended phase out deadline.
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.