Single Sign-On (SSO)

This topic explains how to set up and configure single sign-on in Rescale for your enterprise.

Single sign-on overview

Single sign-on (SSO) is a method for authenticating users where a single set of credentials can be used to log into several different applications. This is especially useful in a corporate setting, when you want your employees to be able to access a variety of applications using their company credentials.

Rescale Support of SSO

SSO authentication is available in all Organizations.

Setting Up Single Sign-On

Getting Started with Single Sign-On

You must be an Organization Administrator in order to set up single sign-on.

Note: SSO with Rescale applies at the Organization-level. All Workspaces will be able to authenticate with SSO once configured.

To configure single sign-on:

From your Organization Administration, navigate to Security, and then click on the Single Sign-On tab
Click the Configure Single Sign-On button to begin setup.

If you have configured SSO previously, click the gear icon to return to this form

It is strongly recommended that you use the Metadata exchange configuration to proceed, although you may select Manual configuration, in which case proceed to the Advanced Settings section

Metadata Exchange

Import the Rescale metadata into your identity provider (IdP) using the link provided.

If your IdP is self-hosted, your IT department will be able to assist you; if you are using a hosted service their configuration likely contains an input for this URL.

If you are required by the IdP configuration to enter fields manually, you can click Show Details here to view those data. If a field is required that you don’t see listed, contact Rescale support.

Field	Value
Entity ID	https://platform.rescale.com/sso/metadata/
Assertion Consumer Service	https://platform.rescale.com/sso/login/callback/
Sign-On URL	https://platform.rescale.com/login/
Single Logout Service	https://platform.rescale.com/sso/logout/

Paste the URL to your IdP’s metadata in the Identity Provider’s Metadata input

The location of this XML depends on your IdP’s software configuration.

Click Verify Settings to proceed.

If the URL you provided could not be loaded you may need to go back and correct it. If any of the fields are blank you must complete them, but the known fields are read-only and just for reference.

Click Attributes to proceed to the next step. Attributes are data about the user released by your IdP that allows us to set up their profile on Rescale.
(Recommended) Perform a test login in another tab by using the link provided. This will both confirm that the basic communication settings between your IdP and Rescale are correct, and show you which attributes were released to Rescale so that you can complete the rest of this step.

If the test login is successful, you will see a table of the attributes you can select from both in the tab you used to do the test login and in the form. If you don’t see an attribute that contains at least the e-mail address, your IdP will need to be configured to release one.

Select or enter an attribute name for E-Mail Address. Provide Username only if the listed conditions apply to your organization, and select a Full name attribute if one is available.
Click Policies and proceed to the Access Policy section below

Advanced Settings

Sign On Options

By defining Sign-On options, you have the added flexibility to allow the employees of your Organization to sign in with only single sign-on (SSO) or both single sign-on (SSO) and email.

Access Policy

There are two types of access policies:

Allow anyone from your organization
Only allow invited users to sign on

The Allow anyone from your organization setting allows any employee with single sign-on to join your Rescale Organization.

The Only allow invited users to sign on setting requires two conditions to be true:

Employees must first be invited to Rescale by an Admin
The Employee must have SSO configured if your Sign On Options are set to Sign on with Single Sign on only

Single Sign-On Logging

Once you’ve set up single sign-on, you can see recent sign-in successes and failures by navigating to Portal > Security, and then clicking on the Single Sign-On tab.

Once you’re there, you can view successful, failed, and incomplete logins.

LAk02assvYni9UJAB3w2UV6Rr3RBIKBE3G1vvDsykbBIcsnZs LWUQygEe7mTd80ci2jPV8nRVB0HV1lBJHa QZltWSqV rXJJntLtzpwoD6jg6cVqYw6VICn ZIvfVjH3tUa

Status Icons:

A green checkmark indicates that the login was successful
A red cross indicates that the login failed (expand for additional information)
A yellow line indicates that the logic was incomplete. In this case, someone initiated a login via SSO, redirected to the IdP, but then never redirected back to Rescale. This is not necessarily an issue, the user could have closed the tab after the IdP redirect.

In order to view detailed information of the success, failure, or incomplete login, simply click on the user to open a chronological log.

FAQ

Do you have documentation on how to set up SSO with my identity provider (IdP)?

Yes, we have documentation with select identity providers:

Logging into Rescale with a Microsoft Active Directory Identity Provider here
Microsoft Tutorial: Azure Active Directory integration with ScaleX Enterprise here

Can I use SSO in my region?

If you are located in an international region and are using one of Rescale’s international platforms, make sure to use the correct platform domain and URL. This is crucial when configuring your Azure AD SSO. Note that the Microsoft doc uses a US platform in the instructions.

After enabling SSO, will existing Rescale users still be able to log in?

Yes, existing users will continue to have access after SSO is enabled, provided they have an identical email address on Rescale and with their SSO IdP.

Can we merge accounts that are using the same email address?

No, merging accounts is not currently possible.

If the e-mail address associated with the Rescale user account does not change, after enabling SSO, will account data continue to be available?

The data and all attributes of the account will continue to be available after SSO is enabled for accounts where the email address has not changed.

Does enabling SSO affect existing API tokens?

No, existing APIApplication program interface (API) is a set of routines, pr... tokens are not impacted. They will continue to function as before.

Cookie	Duration	Description
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
player	1 year	Vimeo uses this cookie to save the user's preferences when playing embedded videos from Vimeo.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
sync_active	never	This cookie is set by Vimeo and contains data on the visitor's video-content preferences, so that the website remembers parameters such as preferred volume or video quality.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-32985745-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
utm_campaign	past	Google Ad Services sets this cookie to store session campaign value if present.
utm_content	past	This cookie is used for storing the session content value if present.
utm_source	past	This cookie is used to record from where the visitor came to the website orginally. This information is used by the website operator to know the efficiency of their marketing.
utm_term	past	This cookie is used to record from where the visitor came to the website orginally. This information is used by the website operator to know the efficiency of their marketing.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_mkto_trk	2 years	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
utm_medium	past	This cookie is used to record from where the visitor came to the website orginally. This information is used by the website operator to know the efficiency of their marketing.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Platform Overview