Cumulocity IoT SSO login FAQ

Vachaspati_Diwevedi2 · June 20, 2023, 10:20am

If you delete the local cumulocity user and try to login using next time using SSO, SSO would create the local user without assigning any role. The administrator must do the role mapping again to have proper cumulocity access to that user.

Note: - Verified.

If you delete the SSO user, Cumulocity will have a local user, but it does not store the credentials in cumulocity, so login does not work. The local user must be cleaned up by Administrator and User must sign up again in SSO. The Administrator must assign the right role, so the user would have the right permission.

Note: - Verified

It will create a SSO user by keeping the local user and it’s role mapping intact and same user would be available as SSO as well as the local user but it throws an error.

Note:- Verified

We can use dynamic role mapping in Cumulocity SSO to assign a default role on SSO signup and it will allow user to login into default app with limited access controlled by default role.
http://cumulocity.com/guides/users-guide/administration/#configuring-single-sign-on

Using the login form CSS the basic auth login form can be hidden by adding a global CSS file and hiding that class as not to display.

Note: - verified

Yes, we can create a custom application with a static HTML page and a default global role. Assign the default global role to the user on SSO sign up using SSO dynamic role mapping and user should be redirected to this custom application by default by setting this custom app as tenant default application. The default role will have no cumulocity access except the custom application.
This custom application will have the logic to check SSO user’s role and based on that route the user to right application. This routing can happen seamlessly with addition authentication since these are SSO users and no additional authentication required.

Useful links