Skip to main content

Single Sign-On (SSO)

Single Sign-On (SSO) lets users access Digital Twin with their corporate Identity Provider (IdP), so they do not need a separate Digital Twin password. Digital Twin uses SAML 2.0.

Benefits

  • Seamless experience - Users can sign in with existing corporate credentials
  • Security - Authentication stays with your IdP
  • Reduced support - Fewer password reset requests

SSO flow diagram

How It Works

  1. A user navigates to the Digital Twin application
  2. Digital Twin redirects them to your Identity Provider (IdP)
  3. The user authenticates via their existing corporate session (or logs in)
  4. The IdP returns a signed SAML response (including NameID and mapped user attributes)
  5. Digital Twin validates the IdP response and creates the user session

Service Provider (SP) Values

Use your customer domain with the digitaltwin subdomain.

Example customer domain:

  • Customer domain: acme.com
  • Digital Twin URL: https://digitaltwin.acme.com

Share these values with your IdP administrator:

FieldValue
SP Entity IDhttps://digitaltwin.<customer-domain>
Assertion Consumer Service (ACS) URLhttps://digitaltwin.<customer-domain>/sso_auth?acs=<customer-domain>
Single Logout (SLO) URLhttps://digitaltwin.<customer-domain>/logout
ACS Bindingurn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
SLO Bindingurn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
NameID Formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Replace <customer-domain> with your organization root domain (for example, acme.com). In most deployments, this is also your SSO partition identifier used in the ACS query param.

note

If you see invalid audience or invalid response errors, verify the SP Entity ID and ACS URL are an exact match in your IdP app (including trailing slash differences).

Admin Console Setup (XML Metadata + SP Settings)

Digital Twin supports admin-led setup in the Admin Console.

  1. Go to Admin Console -> SSO Setup
  2. In IdP Metadata XML, paste the XML metadata from your IdP
  3. Confirm/update the SP fields (the page pre-fills defaults from your current Digital Twin host):
    • SP Entity ID
    • ACS URL
    • SP Single Logout URL
    • ACS/SLO bindings
    • NameID format
  4. Configure Allow Password Logins only for approved break-glass users/domains
  5. Click Save SSO Configuration

Required IdP Mappings

Configure your IdP app with:

  1. NameID = user email address
  2. Attributes for first and last name
  3. Access assignment for the user group(s) that should access Digital Twin

Validation Checklist

After saving SSO config:

  1. Open a private/incognito browser window
  2. Navigate to your Digital Twin URL (https://digitaltwin.<customer-domain>)
  3. Confirm redirect to your IdP
  4. Sign in with a test user
  5. Confirm successful login into Digital Twin

If login fails, re-check:

  • SP Entity ID exact match
  • ACS URL exact match
  • NameID format and email mapping
  • Valid (non-expired) IdP metadata certificate

What to Send Your Implementation Contact

Provide the following:

  1. Your IdP metadata XML
  2. Confirmation of the Digital Twin customer domain (for example, digitaltwin.acme.com)
  3. Your SSO test user email(s)

Supported Identity Providers

Digital Twin supports any SAML 2.0-compliant IdP, including:

  • Okta
  • Microsoft Entra ID / ADFS
  • Google Workspace
  • Micro Focus NetIQ
  • OneLogin