Single sign-on (SSO) allows users of Redgate apps to authenticate using their organization's identity provider, removing the need for them to use a Redgate ID and password.

SSO removes the need for users to create and remember a password specific to Redgate, and makes it easier for administrators to manage access to Redgate apps in their organization.

Once enabled:

• All users authenticating within Redgate apps using an email address with your domain will authenticate using the configured identity provider (IdP). They no longer need to use a Redgate ID password.
• New users will no longer need to create a Redgate ID.

Enabling SSO for a domain requires all users in that domain to use your IdP.

Who can use SSO

All customers can use this service. 

To use SSO you must first be part of an Organization. This is easy to set up in the Redgate Portal Settings screen

This service is OpenID Connect (OIDC) protocol compatible; common Identity Providers such as Microsoft Entra ID, OKTA, Auth0 and AWS Cognito all work with the OIDC protocol.

Compatible products

• Code Analysis for Oracle
• Flyway CLI
• Flyway Desktop
• Redgate Change Automation
• SQL Change Automation
• SQL Compare
• SQL Data Compare
• SQL Data Compare for Oracle
• SQL Data Generator
• SQL Dependency Tracker
• SQL Doc
• SQL Multi Script
• SQL Prompt
• SQL Search
• SQL Source Control
• SQL Test
• Schema Compare for Oracle
• Source Control for Oracle

Legacy desktop products will not use this service. SSO for SQL Monitor and SSO for Redgate Clone is configured separately.

Prerequisites

In order to complete this setup, you will need to:

1. Be an Org Admin (if you created the organization, you are already an Org Admin)
2. Be able configure the DNS for your domain in order to prove domain ownership by adding a TXT record
3. Have the necessary permissions to configure your Identity Provider

If you don't have the necessary permissions you can share this documentation with a colleague who does.

1. Configure your IdP

If you are using Microsoft Entra ID:

1. Sign in to portal.azure.com.
2. Select Microsoft Entra ID from the dashboard.
3. Create an App registration from the Manage section in the menu.
4. Press the 'New registration' button.
5. Enter a descriptive name of the app registration, and select the appropriate account type, then press Register.
6. Select Authentication in the left hand menu, and enable ID tokens then save.
7. Select API permissions in the left hand menu and then press Grant admin consent for then confirm.
8. Go to the overview section and copy the Application (client) ID. This is your Client ID for the setup process. 
9. Select 'Endpoints' from the overview and copy the value in the OpenID Connect metadata document field. This is your Issuer URL (Identity Provider's root URL). 

See configuration details for Microsoft Entra ID for a detailed walkthrough with screenshots.

If you are using another type of IdP, see configuration details for other common IdPs.

2. Prove domain ownership

1. Navigate to the Redgate Portal settings screen.
2. Sign in with your Redgate ID. If you don't have one you can create a new Redgate ID.
3. Click the "Connect identity provider" button in the "Single sign-on" section.
4. Continue past the "Before you start" step.
5. Enter the domain names that you want to use for single sign-on.
6. Click "Generate tokens".
7. The service generates tokens unique to your domains - add them to your DNS as TXT records using your DNS admin tools. This forms the proof that you own the domain and have the privileges to apply policies. 
   Press "Refresh" to verify that the DNS records are added correctly. Once the service can see your tokens, you can proceed to set up your Identity Provider. If the service cannot see your tokens, check the token in your DNS admin tool and try again (DNS can take some time to propagate).
8. Click "Continue" to proceed to the "Configure identity provider" step.

Please keep this DNS record in place as continued proof of ownership while you wish to use the domain for single sign-on.

3. Add your IdP details and enable SSO

1. Choose from the verified domains list the domains you want to enable SSO for.
2. Add the Issuer URL and Client ID values in to the service configuration screen then press "Test without saving". This will redirect you to your Identity Provider where you can login to confirm that the configuration works.
3. After successfully logging in with your Identity Provider, you will be redirected back to the Redgate Portal where you can click "Activate single sign-on" to complete the setup.

Editing Single Sign-On Configuration

1. Navigate to the Redgate Portal settings screen.
2. Click on the Single Sign-On configuration that you want to edit.
3. This will open the configuration settings screen where you can edit the configuration for your identity provider.
4. Ensure that your Issuer URL and Client ID are correct then press "Test without saving". 
5. This will redirect you to your Identity Provider where you can login to confirm that the configuration works.
6. After successfully logging in with your Identity Provider, you will be redirected back to the Redgate Portal where you can click "Activate single sign-on" to complete the setup.

Disabling Single Sign-On

Administrators can turn off OIDC SSO at any time, and revert back to using Redgate IDs. If you deactivate SSO:

• Users who created Redgate IDs before SSO was enabled will then use their password login.
• Users with Redgate IDs created after SSO was enabled can use the forgotten password feature to set a password and then login.
• Users without Redgate IDs will need to create a new Redgate ID.

To disable SSO:

1. Navigate to the Redgate Portal settings screen.
2. Select the toggle next to the configuration you want to disable. You'll be prompted to confirm the deactivation.