Account
Manage user, organization & RBAC in Suger Console.
Signup & Login
-
Suger use Auth0 as the authentication & authorization provider. Both
Sign in
andSign up
share the same entry https://console.suger.io/login. -
Suger supports
sso
withGoogle
,Microsoft
andOkta
(available upon request).
Organization
-
All Suger resources are organized & managed under organization. Each user must belong to at least one organization.
-
When you sign up for Suger for the first time, you will be prompted to create a new organization. However, please note that your organization will require approval from Suger in order to become active. To initiate the approval process for your newly created organization, please get in touch with Suger Support.
-
The user who creates the organization has the
ADMIN
role as default. It is allowed to add new users, edit user role or delete the users. There are 3 predefined standard roles:ADMIN
,EDITOR
&VIEWER
. Their permission scope is defined below:User Role RBAC Permissions ADMIN
Full access, including management of users, organizations, API Client & Webhook. EDITOR
Full access, but excluding the access to management of users, organizations, API Client & Webhook. VIEWER
Can only access Suger services with read
access, no permission tocreate/edit/delete
any resourcestip- The
email domain
of the organization inherits from the user who created it. - For security purpose, only the users who has the same
email domain
as the organization can be added to that organization.
- The
Custom Role with Granular Permissions
Custom roles offer precise control over permissions, allowing you to go beyond the limitations of predefined standard roles, which may be overly broad. This flexibility enables assigning specific permissions at a more granular level.
Create Custom Role
- Navigate to the settings page of your organization.
- Locate the
Roles
section under theOrganization & Users
tab. - Click the
Add Custom Role
button. - Fill in the name and description fields.
- Set permissions according to your specific requirements.
Assign Custom Role to User
Once custom roles are created, you can apply them during the creation or modification of a user.
- Visit the settings page of your organization.
- Find the
Users
section under theOrganization & Users
tab. - Add a new user by clicking the
Add User
button or edit an existing user by clicking the edit button in each user row. - Set the role field in the
Add User
/Edit User
dialog to the desired custom role.
Edit Custom Role
-
Visit the settings page of your organization.
-
Locate the
Roles
section under theOrganization & Users
tab. -
Click the edit button in each custom role row.
-
Modify the name, description, and permissions as needed.
Use Okta as Identity Provider
Suger supports Okta as an identity provider, allowing you to manage users and their access to Suger through Okta.
You can either integrate Suger via Okta Integration Network(OIN), or create custom app integrations.
(Option 1: Recommended) Integrate Suger via Okta Integration Network(OIN)
Suger is available on the Okta Integration Network(OIN). It supports both OIDC Single Sign-On (SSO) and user provisioning with SCIM (System for Cross-domain Identity Management).
You can add Suger to your Okta account by following the steps below:
-
In Okta Admin Console, go to Applications. Click Browse App Catalog.
-
Search "Suger" for Suger App and add it to your Okta account.
-
Set the following parameters. Click Done when finished.
-
Suger Organization ID: Contact Suger support to get the ID.
-
SCIM endpoint URL: Contact Suger support to get the URL.
-
Application Visibility: Keep the default settings (both unchecked)
-
OIDC configuration
Supported Features
- Service Provider (SP)-Initiated Authentication: Triggered when a user logs in from Suger and uses Okta as the identity provider..
- Identity Provider (IdP)-Initiated Authentication: Triggered when a user logs in from Okta and is automatically signed into Suger.
Steps
- In the Okta app, navigate to Sign On - Settings, copy the
Client ID
andClient Secret
and send them to Suger support. - Copy your
Okta Domain
and send to Suger support. It looks likedev-12345678.okta.com
. - Wait for Suger support to configure the OIDC connection using the provided details.
- In the Suger console, go to "Settings", click "Edit" under the Organization section, and enter the
Auth0 Enterprise Connection Name
. Click Save.
SCIM configuration
Supported Features
- Create users
- Update user attributes
- Deactivate users
Steps
-
Open the app and navigate to Provisioning, click "Configure API Integration".
-
Check the Enable API Integration box.
-
Ask Suger support to get the API Token. Click Test API Credentials to verify the connection. Once successful, click Save.
-
In Provisioning to App section, check the options below:
-
Scroll down to the "Suger Attribute Mappings" section, remove the following mappings:
Attribute Value Primary email type (user.email != null && user.email != '') ? 'work' : '' Primary phone type (user.primaryPhone != null && user.primaryPhone != '') ? 'work' : '' Address type (user.streetAddress != null && user.streetAddress != '') ? 'work' : '' -
Set up Suger Role mapping following Manage Suger Role with SCIM.
Troubleshooting
- If you encounter a "Conflict" or "Matching user not found" error when assigning users to the SCIM app, navigate to Dashboard > Tasks to check the error details and retry the task.
(Option 2) Create custom app integrations
You can also create custom app integrations for Suger in Okta, which provides more flexibility and control over the configuration.
This section describes how to create two separate Okta apps for OpenID Connect(OIDC) and SCIM provisioning.
Create an OpenID Connect(OIDC) App Integration
Setting up Okta as a Single Sign-On (SSO) provider for Suger requires configuration on both Okta and Suger sides.
Okta OIDC Configuration
Follow these steps to create an OpenID Connect (OIDC) app integration in Okta:
-
Open the Okta Admin Console, go to Applications -> Applications. Click Create App Integration.
-
Select OIDC as the Sign-in method, and Web application as the Application type:
-
Configure the following parameters, then click Save.:
-
App integration name:
Suger
-
Sign-in redirect URIs:
https://dev-uwmvi0yu.us.auth0.com/login/callback
. -
Sign-out redirect URIs:
https://console.suger.io/login
. -
Trusted Origins:
https://console.suger.io
-
-
Open the app settings and navigate to General - General Settings - Edit, then configure the following:
-
Login initiated by: Either Okta or App
-
Application visibility: Display application icon to users
-
Login flow: Redirect to app to initiate login (OIDC Compliant)
-
Initiate login URI:
https://console.suger.io/login?orgId={your_suger_org_id}
. Ask Suger support to get theyour_suger_org_id
. -
Controlled access: Skip group assignment for now
-
-
Retrieve the
Client ID
andClient Secret
from Okta and send them to Suger support. -
(Optional) Set an app logo by saving this image:
Suger OIDC Configuration
Follow the Okta Workforce Connection setup guide to create an Okta connection. Use the following parameters:
- Connection Name: A unique name for the connection. It can't be changed after creation.
- Okta Domain: e.g.,
dev-12345678.okta.com
. - Client ID: From Okta app.
- Client Secret: From Okta app.
It looks like:
Create an SCIM App Integration
SCIM (System for Cross-domain Identity Management) enables secure user data synchronization between Okta and Suger.
Setting up SCIM integration requires configuration on both Suger and Okta sides.
Suger SCIM Configuration
-
Open the Auth0 Dashboard and navigate to: Authentication > Enterprise > Okta Workforce > [your-connection] > Provisioning.
-
Configure the following settings:
- Disable: "Sync user profile attributes at each login".
- Enable: "Sync user profiles using SCIM.
-
In the Mapping tab, add this mapping:
{
"scim": "roles[type eq \"SUGER_ROLE\"].value",
"auth0": "app_metadata.suger_role"
}, -
In the Setup tab, Generate a Bearer Token using the default settings:
-
Send the
SCIM endpoint URL
andBearer token
to the Okta administrator.
Okta SCIM Configuration
-
Obtain the
SCIM endpoint URL
andBearer token
from Suger support. -
Follow this Okta SCIM setup guide to create a SCIM app:
Manage Suger Role with SCIM
-
Create a custom attribute for SCIM app user:
- Data type:
string
- Display name:
Suger Role
- Variable name:
sugerRole
- External name:
roles.^[type=='SUGER_ROLE'].value
- External namespace:
urn:ietf:params:scim:schemas:core:2.0:User
- Enum: Define enumerated list of values
- Attribute members:
ADMIN
:ADMIN
EDITOR
:EDITOR
VIEWER
:VIEWER
- Attribute required: Yes
- Attribute type: Group
After creation, it looks like:
- Data type:
-
Create Okta Groups for each Suger Role and assign them to the SCIM app.
Example: Create
Suger Role Admin
group:Assign the group to the SCIM app with
Suger Role
configured:Repeat for
Editor
andViewer
roles: -
Open the SCIM app, map the
Suger Role
attribute in the Provisioning tab::Click "edit" icon, and set the mapping as follows:
After mapping:
Manage Users Access
Assign the Suger role groups to Suger App. If you're using separated custom apps, assign the Suger role groups to both the Okta SSO app and the SCIM app.
You can now manage user's access to Suger App via Okta. Any updates to user attributes in Okta will be automatically synchronized to Suger in real time.
- To grant a user access to Suger, assign the user to a Suger role group.
- To revoke access, remove the user assignments from a Suger role group.
Note:
- If you encounter a "Conflict" or "Matching user not found" error when assigning users to the SCIM app, please contact Suger support to remove the existing Okta connection users in Auth0.