Single sign-on for Redgate apps
Published 19 November 2020
Single sign-on (SSO) allows users of Redgate apps to authenticate using their organization's identity provider, removing the need for them to use a Redgate ID and password.
SSO removes the need for users to create and remember a password specific to Redgate, and makes it easier for administrators to manage access to Redgate apps in their organization.
Once enabled:
- All users authenticating within Redgate apps using an email address with your domain will authenticate using the configured identity provider (IdP). They no longer need to use a Redgate ID password.
- New users will no longer need to create a Redgate ID.
Enabling SSO for a domain requires all users in that domain to use your IdP. In the future we may give customers the ability to scope their SSO rollout. If you need this, please let us know.
Who can use SSO
All customers can use this service.
This service is OpenID Connect (OIDC) protocol compatible; common Identity Providers such as Microsoft Entra ID, OKTA, Auth0, AWS Cognito all work with the OIDC protocol.
Compatible products
- Flyway Desktop,
- Flyway Enterprise,
- SQL Prompt, and other Redgate desktop apps make use of this service.
Legacy desktop products will not use this service. SSO for SQL Monitor and SSO for Redgate Clone is configured separately.
How to set up SSO
We require you to add a TXT record to the domain DNS entry to prove you have ownership and sufficient privileges to enable SSO. Check you have the privileges to update your domain's DNS record. If you do not, please refer this documentation to a colleague who does.
1. Configure your IdP
If you are using Microsoft Entra ID:
- Sign in to portal.azure.com.
- Select Microsoft Entra ID from the dashboard.
- Create an App registration from the Manage section in the menu.
- Press the 'New registration' button.
- Enter a descriptive name of the app registration, and select the appropriate account type, then press Register.
- Select Authentication in the left hand menu, and enable ID tokens then save.
- Select API permissions in the left hand menu and then press Grant admin consent for then confirm.
- Go to the overview section and copy the Application (client) ID. This is your Client ID for the setup process.
- Select 'Endpoints' from the overview and copy the value in the OpenID Connect metadata document field. This is your IdP URL.
See configuration details for Microsoft Entra ID for a detailed walkthrough with screenshots.
If you are using another type of IdP, see configuration details for other common IdPs.
2. Prove domain ownership
- Navigate to the service configuration screen.
- Sign in with your Redgate ID. If you don't have one you can create a new Redgate ID. The email address used should be on the domain for which you want to enable SSO, and as part of the process, will be elevated to administrator privileges.
- The service generates a token unique to your domain - add it to your DNS as a TXT record using your DNS admin tools. This forms the proof that you own the domain and have the privileges to apply policies.
- Press the Continue button. Once the service can see your token, you can proceed to set up your IdP. If the service cannot see your token, check the token in your DNS admin tool and try again.
The DNS token, while present, grants this email admin privileges in ssoadmin.red-gate.com only.
Multiple emails can have admin privileges simultaneously via multiple DNS record values.
3. Add your IdP details and enable SSO
- Add the Client ID and IdP URL values in to the service configuration screen then press Continue. This will run a test to check the IdP configuration.
- Hit Continue to enable SSO.
Disabling SSO
Administrators can turn off OIDC SSO at any time, and revert back to using Redgate IDs.
- Users who created Redgate IDs before SSO was enabled will then use their password login.
- Users with Redgate IDs created after SSO was enabled can use the forgotten password feature to set a password and then login.
- Users without Redgate IDs will need to create a new Redgate ID.
- Go to the service configuration screen in your browser and click Continue.
- Sign in with an account that has ssoadmin.red-gate.com administrator privileges; this is likely the account through which you originally enabled SSO.
- The service recognises that SSO is already enabled.
- Press the Disable SSO button and confirm.