Configuring Multi-Org SAML for Automox
ecurity Assertion Markup Language (SAML) based single sign-on (SSO) is a standard for exchanging authentication data between an identity provider and a service provider. With Automox, SAML-based single sign-on enables organizations to provide their users with a single point of authentication the Automox Console using their corporate credentials.
Automox supports multiple SAML configurations for all organizations that you manage. Multi-org SAML allows you to create a SAML configuration for each organization, providing specific access based on the org and users.
Currently, multi-org SAML only supports a one to one relationship with orgs. Each org will need its own configuration and its own SAML app.
The process for configuring Multi-Org SAML is the same as Single-Org SAML. In any organization, follow Single-Org SAML configuration steps to set up a SAML configuration.
Once configured, any user with an account in the org with SAML enabled will be redirected to the IDP for login, unless they specify an organization at login.
IDP-initiated logins behave as expected. When a user clicks on a specific app in your IDP for an org, they are redirected to that org. Once logged in, they can optionally navigate to another org that they are part of if they use the Automox multi-org dropdown.
SP-initiated logins behave in many different ways depending on how you want users to reach their specific orgs:
Generic Login: If users visit console.automox.com and attempt login, Automox will default to the SAML configuration of the of the lowest org ID that the specific user has access to. If org A for the user has SAML, the SAML configuration for org A will be used. If org A has password login, and org B has SAML enabled, org B’s SAML configuration will be used.
Define an Org ID: Users can login directly to a specific org if they specify an org ID in the URL at login. If a user specifies org A in their login URL, they will use org A’s SAML configuration to login.
Specifying an org ID in the login URL is easy. The org ID for any given account can be found when logged into the console. The URL shows a parameter for “?o=XXXX,” where XXXX is the org ID. Copy and paste the same “?o=XXXX” parameter into the login URL (https://console.automox.com/login) to force login to that specific org.
Automox recommends bookmarking specific login URLs so that users can navigate directly to specific accounts.
Inviting and Provisioning Users
With Multi-Org SAML enabled, users can be invited to other orgs through the regular user invite workflow. If SAML is enabled in org that you are inviting them to, they will need appropriate access to the SAML app in your IDP.
Provisioning users from the IDP is only supported on IDP-initiated login. To provision a user to a specific org, enable provisioning when setting up the SAML configuration and give the user access to the appropriate app in your IDP. When they attempt login, an account will be created for them in the appropriate org.
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.