Account

Manage user, organization & RBAC in Suger Console.

---

Signup & Login

1. Suger use Auth0 as the authentication & authorization provider. Both Sign in and Sign up share the same entry https://console.suger.io/login.

2. Suger supports sso with Google, Microsoft and Okta (available upon request).

Organization

1. All Suger resources are organized & managed under organization. Each user must belong to at least one organization.

2. When you sign up for Suger for the first time, you will be prompted to create a new organization. However, please note that your organization will require approval from Suger in order to become active. To initiate the approval process for your newly created organization, please get in touch with Suger Support.

3. The user who creates the organization has the ADMIN role as default. It is allowed to add new users, edit user role or delete the users. There are 3 predefined standard roles: ADMIN, EDITOR & VIEWER. Their permission scope is defined below:

   User Role	RBAC Permissions
   ADMIN	Full access, including management of users, organizations, API Client & Webhook.
   EDITOR	Full access, but excluding the access to management of users, organizations, API Client & Webhook.
   VIEWER	Can only access Suger services with read access, no permission to create/edit/delete any resources

   tip

   • The email domain of the organization inherits from the user who created it.
   • For security purpose, only the users who has the same email domain as the organization can be added to that organization.

Custom Role with Granular Permissions

Custom roles offer precise control over permissions, allowing you to go beyond the limitations of predefined standard roles, which may be overly broad. This flexibility enables assigning specific permissions at a more granular level.

Create Custom Role

1. Navigate to the settings page of your organization.
2. Locate the Roles section under the Organization & Users tab.
3. Click the Add Custom Role button.
4. Fill in the name and description fields.
5. Set permissions according to your specific requirements.

Assign Custom Role to User

Once custom roles are created, you can apply them during the creation or modification of a user.

1. Visit the settings page of your organization.
2. Find the Users section under the Organization & Users tab.
3. Add a new user by clicking the Add User button or edit an existing user by clicking the edit button in each user row.
4. Set the role field in the Add User/Edit User dialog to the desired custom role.

Edit Custom Role

1. Visit the settings page of your organization.

2. Locate the Roles section under the Organization & Users tab.

3. Click the edit button in each custom role row.

4. Modify the name, description, and permissions as needed.

   

Use Okta as Identity Provider

Suger supports Okta as an identity provider, allowing you to manage users and their access to Suger through Okta.

Create an OpenID Connect(OIDC) App Integration

Setting up Okta as a Single Sign-On (SSO) provider for Suger requires configuration on both Okta and Suger sides.

Okta Configuration

Follow these steps to create an OpenID Connect (OIDC) app integration in Okta:

1. Open the Okta Admin Console, go to Applications -> Applications. Click Create App Integration.

2. Select OIDC as the Sign-in method, and Web application as the Application type:

   

3. Configure the following parameters, then click Save.:

   • App integration name: Suger

   • Sign-in redirect URIs: https://dev-uwmvi0yu.us.auth0.com/login/callback.

   • Sign-out redirect URIs: https://console.suger.io/login.

   • Trusted Origins: https://console.suger.io

   

4. Open the app settings and navigate to General - General Settings - Edit, then configure the following:

   • Login initiated by: Either Okta or App

   • Application visibility: Display application icon to users

   • Login flow: Redirect to app to initiate login (OIDC Compliant)

   • Initiate login URI: https://console.suger.io/login/okta

   

5. Retrieve the Client ID and Client Secret from Okta and send them to Suger support.

6. (Optional) Set an app logo by saving this image:

   

Suger Configuration

1. Follow the Okta Workforce Connection setup guide to create an Okta connection. Use the following parameters:

   • Connection Name: okta-connection-{Okta sub domain} (e.g., Okta domain: dev-12345678.okta.com -> connection name: okta-connection-dev-12345678. It is used to direct users to the correct connection when using IdP-initiated login from Okta).
   • Okta Domain: e.g., dev-12345678.okta.com.
   • Client ID: From Okta app.
   • Client Secret: From Okta app.

   It looks like:

   

Create an SCIM App Integration

SCIM (System for Cross-domain Identity Management) enables secure user data synchronization between Okta and Suger.

Setting up SCIM integration requires configuration on both Suger and Okta sides.

Suger Configuration

1. Open the Auth0 Dashboard and navigate to: Authentication > Enterprise > Okta Workforce > [your-connection] > Provisioning.

2. Configure the following settings:

   • Disable: "Sync user profile attributes at each login".
   • Enable: "Sync user profiles using SCIM.

3. In the Mapping tab, add this mapping:

    {
        "scim": "roles[type eq \"SUGER_ROLE\"].value",
        "auth0": "app_metadata.suger_role"
    },

   

4. In the Setup tab, Generate a Bearer Token using the default settings:

   

5. Send the SCIM endpoint URL and Bearer token to the Okta administrator.

Okta Configuration

1. Obtain the SCIM endpoint URL and Bearer token from Suger support.

2. Follow this Okta SCIM setup guide to create a SCIM app:

   

3. Create a custom attribute for SCIM app user:

   • Data type: string
   • Display name: Suger Role
   • Variable name: sugerRole
   • External name: roles.^[type=='SUGER_ROLE'].value
   • External namespace: urn:ietf:params:scim:schemas:core:2.0:User
   • Enum: Define enumerated list of values
   • Attribute members:
     • ADMIN: ADMIN
     • EDITOR: EDITOR
     • VIEWER: VIEWER
   • Attribute required: Yes
   • Attribute type: Group

   After creation, it looks like:

   

4. Create Okta Groups for each Suger Role and assign them to the SCIM app.

   Example: Create Suger Role Admin group:

   

   Assign the group to the SCIM app with Suger Role configured:

   

   Repeat for Editor and Viewer roles:

   

5. Open the SCIM app, map the Suger Role attribute in the Provisioning tab::

   Click "edit" icon, and set the mapping as follows:

   

   After mapping:

   

Manage Users Access

You can now assign users to Suger role groups in Okta to control their access to the Suger app. Any updates to user attributes in Okta will be automatically synchronized with Suger in real time.

Note: If you encounter a "Conflict" error when assigning users to the SCIM app, please contact Suger support to remove the existing Okta connection user in Auth0.

warning

• To grant a user access to Suger, assign them to both the OIDC app and the SCIM app via the end-user dashboard.
• To revoke access, remove the user assignments from both apps.