Configure Enterprise Login¶
Choreo's Enterprise Login feature allows your users residing in an external IdP (Identity Provider) to login into Choreo seamlessly without changing their credentials.
This guide takes you through the steps you need to follow to configure an enterprise login for your organization in Choreo.
Make sure you have a valid email domain.
Step 1: Create an organization in Choreo¶
To create an organization in Choreo, follow the steps below:
Sign in to the Choreo Console at https://console.choreo.dev/ using a Google/ GitHub/ Microsoft account.
Create an organization as follows:
If you are a new user: enter a unique organization name and create an organization. For example, "Stark Industries".
If you are a returning user: expand the drop-down for your profile and click Settings. Under Organizations, you can view the organization you created at sign-up.
Step 2: Configure enterprise login for your Choreo organization¶
To configure enterprise login for your Choreo organization, follow the steps below:
- Expand the drop-down for your profile and click Settings.
Click Copy Handle to copy the organization handle to the clipboard.
When you add a Choreo organization, Choreo reserves the organization name for your user account. Therefore, you need to create an organization of the same name on the Choreo IdP (i.e., Asgardeo).
To create your organization on the Choreo IdP, follow these steps:
Sign up to Asgardeo with the same credentials you used to create your Choreo account.
Paste the value copied in step 2 as the organization name in Asgardeo and click Create.
To enable enterprise login for your organization, send us an email as follows:
If you already have a support account with us, send us the organization name/handle and the email domains specific to your organization through our support portal.
If you do not have a support account with us yet, send an email to
[email protected]requesting to enable enterprise login to your organization.
Mention the following information in the request:
- Organization name or handle. For example, “Stark Industries” or “starkindustries”
- Email domains specific to your organization. For example, “@stark.com”, “@starkindustries.com”, and “@stark.eu.
Subject : [Stark Industries] Configure enterprise login Content: Hi CS team, Configure enterprise login to my organization and please find the relevant information below. Organization name/handle: “Stark Industries”/“starkindustries” Email domains specific to my organization: “@stark.com”, “@starkindustries.com”, and “@stark.eu” Thank you!
To configure your enterprise login, our support team will send you an email with a verification code. Login to your domain host account and configure the DNS record for your email domain with the following values:
Field Value Name/Host/Alias
@or leave blank
Time to Live (TTL) Leave default value or use
Next, you can create a connection to the federated identity provider (For example, Auth0, ADFS, Keycloak, etc.), following the steps below:
Step 3: Bring your own identity¶
Bring your own identity to Choreo by configuring a federated enterprise IdP on Asgardeo to your organization. Now that you have created an organization in Asgardeo with the same name as your Choreo organization in Step 2, Choreo can authenticate users signing in to that organization. Follow the steps below to configure the federated IdP:
Sign in to Asgardeo at https://asgardeo.io/signup?utm_source=console.
To configure a federated enterprise identity provider to your Asgardeo organization, follow the steps in Asgardeo documentation - Add Standard-Based Login.
Next, navigate to Develop and select Applications from the left navigation. You will see an application prefixed “WSO2_LOGIN”.
Click on the application and select the Sign-in Method tab. You can observe the connection you configured in step 2 of this section.
You are all set! Your users in the enterprise IdP can now log into the Choreo Console using their user credentials.
Role-based access control for Enterprise login¶
Choreo allows you to configure your users residing in an external IDP (Identity Provider) to log in to Choreo with appropriate permissions seamlessly based on their role.
Follow the steps below to configure role-based access control to an enterprise login in Choreo:
- Configure Enterprise Login for your organization.
- Be sure your Enterprise IDP includes the groups/roles attributes in the tokens it sends to Asgardeo in the respective protocol.
- Be sure you have admin privileges in Choreo.
Step1: Configure Asgardeo¶
Configure your IDP as an External IDP in Asgardeo. Depending on your IDP, you may select OpenID Connect or SAML as the protocol between Asgardeo and your IDP.
If you are using OpenID Connect, configure the requested scopes accordingly for Asgardeo to get the relevant group/role details from the external IDP.
Configure the application as follows:
- Go to the Asgardeo Console. Click Develop -> Applications -> WSO2_LOGIN_FOR_CHOREO_CONSOLE and then select Sign-in Method.
Depending on the protocol you selected above, configure your login to use the above IDP.
Go to User Attributes and add the groups attribute to the user attribute list and mark it mandatory.
Configure the attribute/scope settings.
- Go to the Asgardeo Console. Click Manage -> Scopes -> Open ID.
Click New Attribute and add the Groups attribute to the list.
Step 2: Map Asgardeo groups to Choreo Roles in the Choreo Console¶
- This configuration can be done only by the organization Admin.
- The Choreo organization admin should add the group role mapping entry for the Admin role to enable the external enterprise organization Admin to access this page.
- Log in to the Choreo console.
- From the left navigation menu, click Settings.
- Click Organization -> Role Mapping
To add a new group role mapping, click Add Mapping.
Enter the exact
Groupsname configured at the Enterprise IdP and map the list of Choreo roles by selecting the checkbox(s) from the list.
- Click Save.
- You can assign one or more roles to each group.
- You can only update the role name. The group name is not editable.
- If a change in the group role mapping occurs, it will take effect from the next login session onwards.
- If there are no mappings, all the enterprise users will be applied with the default developer role.