SSO Integration with Safeconsole 5.3+

SSO allows admins to easily log in to SafeConsole using 3rd party authentication. With Single Sign-On enabled, SafeConsole Admins can be synced from a centrally managed repository of users that allows for easier review and management. 

SafeConsole has the potential to integrate with an SSO solution that utilizes a SAML 2.0 connector. 

Solutions that have been tested and confirmed by the Datalocker Team: 

  1. PingOne

  2. OneLogin

  3. PingFederate

  4. ADFS

  5. Okta

  6. Azure

Important Information for Integration

Entity ID

The entity ID is also considered the Identifier of the SSO connector. This allows SafeConsole to determine which connector to use within your SSO solution. 

Please note that the EntityID needs to match the Identity Provider (IdP) and SafeConsole.


Login URL Example - (This will vary depending upon your SSO solution.)
OneLogin Example -

ACS (Consumer) URL Validator* example - ^https\:\/\/\/safeconsole\/sso-login\/acs$

Default Logout URL - (This URL will log you out of the SafeConsole server and not your entire SSO solution.) 


An assertion is an open standard for exchanging authentication and authorization data between the SafeConsole server and the SSO solution. The assertion would be implemented into the settings of the SSO connector. This allows the connector to know which solution to communicate with.


Required Attributes

memberOf - Sets the group memberships that are identified by SafeConsole. See Privileged Access Groups below to determine the level of group access.

Name ID - The LDAP attribute that is used to Authenticate into the SafeConsole Server. 

Privileged Access Groups - By default, SafeConsole has three levels of user console access. The access level will need to be defined in the SSO connector during setup.  The three default access levels are as follows: 

  • ADMINISTRATOR - Can Purchase Licenses, add administrators, configure devices, monitor audit logs, and perform device actions

  • MANAGER - Can configure devices, monitor audit logs, and perform device actions

  • SUPPORT -  Can perform a limited number of device actions, such as password resets. Cannot change device configurations


You will need two certificates to complete the integration between SafeConsole and your SSO solution: The Public Signing Certificate of your SafeConsole Server and the SSL certificate that is associated with your SSO Solution. 

The SafeConsole certificate will be used as a signed certificate within the connector of the SSO solution. The SSO certificate will be used by SafeConsole to create a secure trust between both parties. You will need to be able to extract the x509 data of your SSO Certificate. 

To obtain the Public Signing Certificate of your SafeConsole server you will need to Login to your console and locate the following path: Help > Quick Connection Guide > Legacy Devices. Click on Server Certificate and the download will begin. 

SSO Settings within the SafeConsole:

In your on prem SafeConsole, a user with the same email as your SSO solution must exist with the appropriate permissions.

To be able to be to continue with the steps below, you must be using an owner account, which is created by default. To get the password to this account, navigate to your SafeConsole folder and open sc_email_history in a text editor. Within that file, you should see a long URL which should let you choose your password for the owner admin account.

Login to your SafeConsole and navigate to Server Settings > Single Sign-On. 

You may manually type in the required fields (Method 1), or upload the METADATA file obtained from your SSO solution which will automatically fill out the required fields (Method 2).
example from OneLogin to obtain METADATA file

Method 1:

  1. Check the box to enable SSO

  2. Select SAML2 from the drop-down

  3. Enter the identifier of your SSO Connector

  4. Input the SSO Endpoint URL

  5. Input the SLO Endpoint URL 

  6. Input the X509 Data

  7. Click Save. 

Method 2: 

  1. Check the box to enable SSO

  2. Select SAML2 from the drop-down 

  3. Upload the METADATA file that can be obtained from your SSO solution 

  4. Click Save

Please Note: If you are utilizing SafeConsole On-Premise, please make sure you have an Admin, Manager, and Support account/group assigned. This can be checked by running the "SafeConsole Configurator" from the SafeConsole host computer. The Single Sign-On subsystem requires that these roles are assigned to function properly.