Skip to content

Configure Enterprise Login

With Choreo, you can configure enterprise login to allow users from an external identity provider (IdP) to sign in to Choreo seamlessly without changing their credentials.

This guide walks you through the steps to configure enterprise login for your organization in Choreo.

Prerequisites

Before you proceed with the configuration, ensure that you have set up the following:

  • A valid email domain for your organization.
  • Access to the Choreo Console at https://console.choreo.dev/ via your Google, GitHub, or Microsoft account. If you are a new user, create an organization with a unique organization name. For example, "Stark Industries".

Configure enterprise login for your Choreo organization

To configure enterprise login for your Choreo organization, follow the steps given below:

  • If you already have a support account with us, send us your organization name/handle and the email domains specific to your organization through our support portal.

  • If you do not have a support account with us yet, send an email to [email protected] requesting to enable enterprise login for your organization.

    Tip

    Ensure you include the following information in the request:

    • Organization name or handle. For example, “Stark Industries” or “starkindustries”.
    • Email domains specific to your organization. For example, “@stark.com”, “@starkindustries.com”, and “@stark.eu.

    Sample email

    Subject : [Stark Industries] Configure enterprise login

    Hi CS team,

    I need to configure enterprise login for my organization. Can you please do the necessary configurations to proceed?

    My organization details are as follows:

    • Organization name: Stark Industries
    • Organization handle: starkindustries
    • Email domains specific to my organization: “@stark.com”, “@starkindustries.com”, and “@stark.eu”

    Thank you.

    The Choreo support team will perform the necessary configurations and respond to you with a verification code. You must sign in to your domain host account and configure the DNS record for your email domain with the following values:

    Field Value
    Name/Host/Alias Specify @ or leave it blank
    Time to Live (TTL) Keep the default value or use 86400
    Value/Answer/Destination wso2-domain-verification:<verification_code>

Now, you are ready to bring your own identity to Choreo.

Bring your own identity to Choreo

When you create an organization in Choreo, an organization with the same name is provisioned for you in Asgardeo. To bring your own identity to Choreo, you must configure a federated enterprise IdP on Asgardeo in the organization that is provisioned for you.

Follow the steps given below to configure the federated IdP:

  1. Sign in to Asgardeo.
  2. To configure a federated enterprise identity provider for your Asgardeo organization, follow the steps in Asgardeo documentation - Add Standard-Based Login.
  3. In the Asgardeo Console left navigation menu, click Applications. You will see an application named WSO2_LOGIN_FOR_CHOREO_CONSOLE.
  4. Click on the application to edit it.
  5. Click the Sign-in Method tab. You can observe the configured connection.

Now, users in your enterprise IdP can sign in to the Choreo Console using their enterprise IDs.

Configure role-based access control for enterprise login

To streamline the enterprise login process and grant appropriate permission, Choreo provides the flexibility to configure role-based access control for users who reside in an external IdP.

To set up role-based access control for enterprise login within Choreo, follow the steps given below:

Prerequisites

Before you proceed with the configuration, make sure you complete the following:

  1. Configure enterprise login for your organization. For instructions, see Configure enterprise login for your Choreo organization.
  2. Ensure your enterprise identity provider includes the group/role attributes in tokens it sends to Asgardeo via the respective protocol.
  3. Be sure you have administrator privileges in Choreo.

Step 1: Configure Asgardeo

  1. Sign in to Asgardeo.
  2. Configure your IdP as an external IdP in Asgardeo. Depending on your IdP, you can select OpenID Connect or SAML as the protocol between Asgardeo and your IdP.

    Note

    If you are using OpenID Connect, configure the requested scopes accordingly for Asgardeo to get the relevant group/role details from the external IdP.

  3. To configure the application, follow the steps given below:

    1. In the Asgardeo Console left navigation menu, click Applications. You will see an application named WSO2_LOGIN_FOR_CHOREO_CONSOLE.
    2. Click on the application to edit it.
    3. Click the Sign-in Method tab.
    4. Configure the IdP for login depending on the protocol you selected:

    5. Click the User Attributes tab.

    6. Select the Groups attribute and click the arrow to expand the section. Then, select the Requested checkbox.
    7. Click Update.
  4. To add the user attributes as OpenID Connect scopes, follow the steps given below:

    1. In the Asgardeo Console left navigation menu, click Scopes.
    2. In the OpenID Connect Scopes pane, click OpenID to edit it.
    3. Click New Attribute and select the Groups attribute.
    4. Click Save and then click Save Changes.

Step 2: Map Asgardeo groups to Choreo roles in the Choreo Console

Note

Before you map Asgardeo groups to Choreo roles, ensure you meet the following criteria:

  • Asgardeo is your key manager.
  • You have permission to perform actions of the organization administrator role.
  1. Sign in to the Choreo Console.
  2. In the Choreo Console, go to the top navigation menu and click Organization. This takes you to the organization's home page.
  3. In the left navigation menu, click Settings.
  4. In the header, click the Organization list. This will open the organization level settings page.
  5. In the Organization tab, click Role Mapping. Role mapping

  6. To add a new role mapping, click + Add Mapping.

  7. In the Groups field, enter the exact name you configured in the enterprise IdP. Next, select the applicable roles to map from the Roles list.

    Tip

    • You can assign one or more roles to each group.
    • You can only update the role name. The group name is not editable.
    • If there is a change to the group role mapping, it takes effect from the next login session onwards.
    • If there is no role mapping, the default developer role is applied to all enterprise users.
  8. Click Save.

By following these steps, you have successfully configured role-based access control for enterprise login in Choreo, allowing users from the external IdP to have the appropriate permission.