Skip to main content

How do I enable SSO for my Unity organization?

Updated

Symptoms:

  • I want to use Single Sign-On for my Unity organization, but I can't find the option to enable it.
  • How do I enable SSO for my domain?
  • Can I disable SSO for my domain?

Cause:

Single Sign-On (SSO) is a service offered within the Unity Cloud Platform. SSO is only available for organizations with an active Unity Enterprise or Unity Industry subscription.

Resolution:

 

Prerequisites

  • You must have the Owner or Manager user type within your organization
  • You must have created a SAML 2.0 application in your Identity Provider (IdP) service

Unity SSO uses the Security Assertion Markup Language (SAML) 2.0 protocol and supports the following IdPs:

 

Create a SAML 2.0 application in your IdP service

  1. Go to your organization's IdP portal and create a SAML 2.0 application.
  2. On a new tab, go to the Unity Dashboard, and then go to Administration > SSO.
  3. Copy the values of the following metadata parameters from the Unity section:
    1. Entity ID
    2. Login (Assertion Consumer Service) URL
    3. Certificate
  4. Go back to your IdP portal and paste the values in the corresponding fields of the SAML settings.
  5. Add custom user attribute mapping to your SAML 2.0 connector in your IdP:
    1. For the custom attribute name, enter Email.
    2. Select the user's email address in the IdP as the field. To authenticate the user, Unity SAML SSO needs the Email attribute.

Configure SSO for your organization

  1. In the Unity Dashboard, go to Administration > SSO.
    sso-2.png
  2. Select Edit information next to the Identity Provider section.
  3. Enter the IdP metadata parameters you generated in the Prerequisites stage of this article and save your changes.
    sso-6.png

Validate domains for SSO

To ensure that the validated domains in your IdP and in your Unity SSO match, follow these steps:

  1. Sign in to the Unity Dashboard as the SSO configuration IT administrator.
  2. Go to Administration > SSO.
    sso-2.png
  3. Select the Domains tab, and then click Add domain.
  4. Enter the domain you want to enable SSO for. For example unity.com for users@unity.com email addresses. 
  5. Select Add and validate.
    sso-8.png
  6. Copy the TXT record value from the domain information window and add it to the header of your domain. This validates your ownership of the domain.
  7. Select Validate.
    sso-9.png

You can repeat this process to enable SSO for other domains. Once a domain is validated, it can't be claimed by another Unity organization until you delete the record from your SSO configuration.

Note: It can take up to 48 hours for Unity to validate your domain.

 

Turn off SSO for specific domains

To turn off SSO for a specific domain, follow these steps:

  1. In the Unity Dashboard, go to Administration > SSO
    sso-2.png
  2. On the Domains tab, select Delete next to the domain for which you want to turn off SSO.
  3. Select Confirm to delete the domain from your SSO configuration.

Considerations

When integrating Unity SSO with your IdP, consider these points:

  • When users create a Unity ID account through SSO, Unity doesn't create the following information:
    • A password: The next time they sign in, users must select Forgot your password? and set up their password.
    • A personal organization for the new account: To create projects, users must manually create their own personal organization.
  • When signing in through SSO, users are automatically assigned to the organization for which SSO is set up. After sign-in, users can switch organizations and access the other organizations which they're a member of.

For more comprehensive SSO setup guidance, visit the Unity Cloud Documentation.

If you need SSO functionality but don't currently have the required license tier, contact our Sales team to explore upgrade options.

Related to

Related articles