Skip to main content

Single Sign-On

Overview

You may configure your account to use one or more Single Sign-On (SSO) Identity Providers (IdPs). Once enabled, users can use the IdP to log into your ngrok dashboard. You may also configure enforcement settings to require that users must use SSO to log into your ngrok account.

Once you have configured SSO, you may also enable SCIM to automate user provisioning of your ngrok account.

Set up SSO on the Account Settings page of your ngrok dashboard.

Supported Providers

ngrok supports identity providers which support either SAML or OpenID Connect for SSO including Okta and Microsoft AzureAD.

Enforcement

Your account sets an SSO Enforcement policy which controls whether users are required to log in with SSO.

Mixed Mode: In mixed mode, users who existed on your account before you set up SSO may continue using their existing credentials to log in. All new users will be required to use SSO.

SSO Enforced: In SSO enforced mode, all users must use your SSO IdP to log in and their existing credentials will no longer allow them to log into your account.

Keep in mind that after you add an IdP, your account is still in Mixed Mode and users can continue to log in with their previous credentials. Once you are confident that your SSO integration is configured correctly, you can switch to SSO Enforced mode. This helps you avoid inadvertently locking yourself or your users out of the account.

IdP-Initiated Login

ngrok supports IdP-initiated login flows for SAML IdPs. An IdP-initiated login flow is one in which users can log into your ngrok account by clicking on a link in your IdP's dashboard.

You may enable IdP-initiated login on a per-IdP basis. The OpenID Connect protocol does not support IdP-Initiated login so it is not supported for IdPs you connect that way.

User Provisioning

When using SSO, you may configure how users are provisioned and deprovisioned from your ngrok account. You may configure your account to provision users in one of three modes:

  • Explicitly invited by an existing member of your account
  • Just-in-time (JiT) provisioned after they successfully log in with SSO
  • Managed via your IdP's SCIM integration.

It is recommended that you choose either JiT or SCIM. See User Provisioning for more details.

Multiple IdPs

You may configure multiple IdPs to use for SSO. If you do, when a user tries to log in, they will be presented with a choice of which provider to use to log in. The description provided when configuring the IdP in your account will be displayed to the user here and can be used to distinguish similar providers.

SCIM

ngrok supports a limited subset of RFC 7644 to enable SCIM provisioning and deprovisioning. ngrok's SCIM implementation works with major IdPs like Okta and Azure AD.

ngrok's SCIM API Base URL is:

https://api.ngrok.com/scim/v2/

Your IdP will authenticate to ngrok's SCIM API with API Keys like any other ngrok API client.

If you use API IP Restrictions with SCIM, ensure that your IdP's SCIM client IPs are allowed.

ngrok does not support SCIM provisioning of users with passwords for authentication. For that reason, you must first configure an SSO Identity Provider before you can configure a SCIM integration.

ngrok's SCIM implementation is limited to the operations necessary to support user provisioning and deprovisioning. For instance, it does not implement bulk operations, change password behavior, sorting or etags. It does not support Groups.

ngrok's SCIM implementation supports three properties on the User schema: userName, displayName, and active. The userName property must be mapped to a user's email address. The active property can be used to control whether a user is disabled. displayName should be mapped to a user's full name.

Consult the SCIM Provisioning documentation for additional details on how users are provisioned with SCIM.

Pricing

Dashboard Single Sign-On is available on the Enterprise plan.

Contact us for SCIM availability.