Skip to content

Enabling single sign-on (SSO)#

This guide describes how to enable single sign-on (SSO), which allows users to authenticate to Lambda Cloud through your organization's existing identity provider (IdP). Enabling SSO offers several advantages:

  • Users don't need to manage a separate set of credentials for Lambda Cloud.
  • Your organization's users are automatically added to your domain-wide account when they first log in.
  • Your IdP remains the single source of truth for managing user access.

Prerequisites#

To set up SSO for your Lambda Cloud account, you must have:

  • A 1-Click Cluster (1CC).
  • The Admin role in your Lambda Cloud account.
  • Permission to set up application integrations for your identity provider.
  • Permission to create and modify DNS TXT records for the domain name that you plan to enroll in SSO.

Getting started#

Close out other accounts on your target domain#

Before you can set up SSO for a domain, you must ensure that your domain has only one Lambda Cloud account associated with it. Verify that:

  • All other Lambda Cloud accounts associated with that domain name have been closed.
  • None of the emails on that domain belong to users in other accounts. If they do, you'll need to reach out to admin users of those accounts and ask them to remove the relevant users from their accounts.

Request an invitation to set up SSO#

After you've closed out all existing accounts on the domain, ask your Lambda account manager for an invitation email to set up SSO for your existing Lambda Cloud account.

Setting up SSO#

Configure SSO for your identity provider#

To configure SSO for your identity provider:

  1. Open the invitation email, and then click the link to begin enrolling your account in SSO. You're taken to the SSO setup wizard.

    Note

    The invitation link can only be used once. After you open the link, you have six hours to complete the SSO configuration process. If your link expires, contact your Lambda account manager and ask them to generate a new link.

  2. On the Configure Your Connection page, click Single Sign-On.

  3. Select your identity provider from the list of supported providers, and then click Next. If you don't see your provider on the list, choose Custom SAML or Custom OIDC, depending on your provider's authentication protocol.

  4. Follow the instructions to configure SSO for your selected provider. If your provider uses SAML authentication, make sure the provider is set up to send the following attributes in its assertions:

    • NameID formatting: Use the urn:oasis:names:tc:SAML:2.0:nameid-format:persistent format.
    • Email attribute: Include the user's email address in either the email attribute or the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress attribute.

  5. After you've finished the setup process, click Done. You're taken back to the Configure Your Connection page.

Verify ownership of your domain#

To complete SSO setup for your domain, you must verify that you own the domain:

  1. On the Configure Your Connection page, click Domain Verification.
  2. In the Add Domain tab, input your target domain and then click Add Domain.
  3. Follow the instructions for verifying your domain.
  4. After your domain name has been verified, click Done. You're taken back to the Configure Your Connection page.
  5. On the Configure Your Connection page, click Enable Connection. A modal appears.
  6. Click Proceed to finish enabling SSO for your domain.

Next steps#

For more information about access control on Lambda Cloud, see the Access and security overview.