FAQ: Single Sign-On (SSO)

Knowledgebase
1

You asked, we listened! Check out our new SSO FAQ for the latest updates. We’re still in active development, so expect even more improvements in the long term :wink:

General SSO Support

  • What SSO providers are currently supported by Peplink ID? Peplink ID supports authentication via Google, Apple, Microsoft (including Entra ID), Okta (supports OIDC and SAML protocols) and OneLogin (supports OIDC and SAML protocols).

  • How do I request a custom SSO integration? Rather than a general solution, Peplink focuses on specific application requirements. You should create a support ticket detailing your specific requirements to initiate this process.

  • Can I use SAML with ICVA? No, ICVA does not currently support SAML.

Okta Integration

  • Does Peplink ID support Okta? Yes. Okta integration is available for enterprise organizations. Because this requires backend configuration by our engineering team, you must open a support ticket with Peplink to begin the process.

  • Where is the Okta login button? There is no “Login with Okta” button on the Peplink ID landing page. The system uses Service Provider Initiated (SP-Init) SSO:

    1. The user enters their email address on the standard Peplink ID login page.
    2. The system identifies the domain (e.g., @yourcompany.com).
    3. The user is automatically redirected to your organization’s specific Okta sign-in page.

  • How do I set up the Okta integration? Please follow these steps:

Step 1: Peplink initiates the registration of your Okta Identity Provider

Once we confirm your users’ email domain, we will begin the registration of your Okta identity provider. After registration is complete, we will provide you with the Redirect URI and the Audience / SP Issuer URI. You will need both of these when creating the client application for PeplinkID.

Step 2: Create the Application in Okta

Your organization’s Okta administrator will need to create a new Application Client for Peplink ID in your Okta Admin Console.

Step 3: Configure Redirect URIs

After Peplink registers your Okta instance as a trusted Identity Provider (IdP), our support team will provide you with two URLs: the Redirect URI and the Audience / SP Issuer URI.

Use the Redirect URI for the following Client Application SAML settings:

  1. Sign-in Redirect URI - tells Okta where to send the user after a successful login.
  2. Sign-out Redirect URI - ensures the user is properly signed out of Peplink ID when logging out.

Use the Audience / SP Issuer URI for the following SAML settings:

  1. Audience URI (SP Entity ID)
  2. SP Issuer

Step 4: Provide Initial Credentials to Peplink

Once the application is created, please share the following details in your Peplink support ticket:

  • Okta Account URL (e.g., https://yourcompany.okta.com)
  • Application Client ID
  • Metadata URI - can be found in the application’s Sign On tab

Note 1: Metadata URI is preferred. While we can build the metadata endpoint from your Okta account URL and Application Client ID, providing the Metadata URI directly is faster and more reliable.

Note 2: Allow access from Peplink servers. Some organizations restrict access to the Metadata URI by geolocation. Please ensure that our servers in the United States (US) are allowed. Without this access, users will not be redirected back to PeplinkID after a successful Okta login.

Note 3: The integration will not work until these URIs are correctly saved in your Okta console.

Microsoft Entra ID (Azure AD)

  • How do I use Microsoft Entra ID with Peplink ID? Users can use the existing “Continue with Microsoft” button. This requires creating a client application for Peplink ID within your Microsoft environment and granting permissions for Peplink ID to authenticate and access the profile scope.

  • Does ICVA support Microsoft Entra ID? Yes, ICVA supports Entra ID (formerly Azure AD) for user authentication.

  • Can I manage user permissions on InControl/ICVA via Entra ID? No. InControl and ICVA support using Entra ID for user authentication, but not authorization. . All user roles and permissions must be configured and managed locally within the InControl/ICVA platform.

  • What are the required settings for ICVA Azure AD integration? Within the ICVA Authentication Settings, you must provide the Azure AD Client ID and Azure AD Client Secret. The Azure AD Tenant ID is optional.

API and Account Management

  • How should I set up an account for API access? You must create a Peplink ID using an email address for your API account to ensure it is not added to a suppression list.
7 Likes
2

OneLogin Integration (New)

  • Does Peplink ID support OneLogin? Yes. OneLogin integration is available for enterprise organizations and works very similarly to our Okta integration. It requires backend configuration by our engineering team, so you will need to open a support ticket with Peplink to begin the process.

  • Where is the OneLogin login button? There is no “Login with OneLogin” button on the Peplink ID landing page. The system uses Service Provider Initiated (SP-Init) SSO:

  1. The user enters their email address on the standard Peplink ID login page.
  2. The system identifies the domain (e.g., @yourcompany.com).
  3. The user is automatically redirected to your organization’s OneLogin sign-in page.

How do I set up the OneLogin integration? Please follow the steps below:

Step 1: Peplink initiates the registration of your OneLogin Identity Provider

Before we can register your OneLogin identity provider, we need to confirm the email domain your users will use to log in.

Once registration begins, we will provide you with the Redirect URI and the Audience / SP Issuer URI. You will need both when creating the client application for Peplink ID in your OneLogin Admin Console.

Step 2: Create the Client Application in OneLogin

Your organization’s OneLogin administrator will need to create a new Client Application for Peplink ID in your OneLogin Admin Console.

Use the Redirect URI from Step 1 for the following fields:

  • Single Sign-On URL
  • Single Sign-Out URL
  • Recipient
  • Destination

Use the Audience / SP Issuer URI from Step 1 for the following fields:

  • Audience URI (SP Entity ID)
  • SP Issuer

Note: The integration will not function until these URIs are correctly saved in your OneLogin console.

Step 3: Provide the Metadata URL to Peplink

Once the client application is created in OneLogin, please share the following details in your Peplink support ticket — or provide the Metadata URL directly:

  • OneLogin Account URL (e.g., https://yourcompany.onelogin.com)
  • Application Client ID

We use the OneLogin Account URL and Application Client ID to construct the Metadata URL, which contains the SAML details required to integrate with your client application.

Note: Peplink must be able to access the Metadata URL. If your organization restricts access by geolocation, please ensure that our servers in the United States (US) are allowed.

Step 4: Test the OneLogin Integration

Once your OneLogin identity provider has been fully configured, it’s time to test the integration:

  1. On the Peplink ID (or IC2) login page, the user enters their email address.
  2. After pressing Enter or clicking Next, they should be redirected to your OneLogin sign-in page.
  3. After a successful login, they should be redirected back to Peplink ID (or IC2).

Important Note for Okta and OneLogin Integrations

Once SSO is enabled, the user’s standard password is disabled. This means break-glass accounts will not work under the same email domain. For break-glass accounts, please use an email address with a different domain so that password-based (form) authentication can still be used.

3 Likes