|
| 1 | +--- |
| 2 | +title: SSO Domain Restrictions User Guide - OpenObserve Enterprise |
| 3 | +description: Learn how to configure SSO domain restrictions in OpenObserve Enterprise to control user access by email domains and enhance security. |
| 4 | +--- |
| 5 | +> This feature is only available in the OpenObserve Enterprise Edition. |
| 6 | +
|
| 7 | +This user guide provides step-by-step instructions for configuring and managing **SSO Domain Restrictions** in OpenObserve. <br> |
| 8 | +This feature allows you to control which users can log in to OpenObserve using Single Sign-On (SSO) providers. You can allow access to specific domains or even individual users from those domains. |
| 9 | + |
| 10 | +!!! note "Where to Find" |
| 11 | + The **SSO Domain Restrictions** page is available in the `_meta` org under **Management**. |
| 12 | + |
| 13 | +!!! note "Who Can Access" |
| 14 | + `Root` user and any other user who has access to the `_meta` org can access the **SSO Domain Restrictions** page. |
| 15 | + |
| 16 | +## Add Domain Restrictions |
| 17 | + |
| 18 | +??? "Step 1: Add a New Domain" |
| 19 | + 1. In the **Domain and allowed users** section, enter the domain name in the text field. |
| 20 | + > Enter only the domain name, for example, `example.com` and do not include the `@` symbol. |
| 21 | + 2. Click the **Add Domain** button. |
| 22 | +  |
| 23 | + |
| 24 | +??? "Step 2: Configure Domain Access" |
| 25 | + |
| 26 | + For each domain, you have two control options: |
| 27 | + |
| 28 | + **Option 1: Allow All Users from Domain**<br> |
| 29 | + It permits any user with an email address from the selected domain to log in using SSO. <br> |
| 30 | + > **Use case:** Allow all employees from your company domain `@example.com`. |
| 31 | + <br> |
| 32 | +  |
| 33 | + |
| 34 | + **Option 2: Allow Specific Users Only**<br> |
| 35 | + It allows you to add individual email addresses that should be permitted to log in using SSO.<br> |
| 36 | + > **Use case**: Allow only certain users from a partner organization. For example, `e1@example1.com` and `e2@example1.com`. |
| 37 | + |
| 38 | + When **Allow only specific users** is selected: |
| 39 | + <br> |
| 40 | +  |
| 41 | + |
| 42 | + 1. Enter the complete email address in the input field. |
| 43 | + 2. Click **Add Email**. |
| 44 | + 3. The email address will be added to the allowed list. |
| 45 | + 4. Repeat for additional users. |
| 46 | + 5. Use the **X** button next to any email to remove it. |
| 47 | + |
| 48 | +??? "Step 3: Save Configuration" |
| 49 | + 1. Review your domain restrictions. |
| 50 | + 2. Click **Save Changes** to apply the configuration. |
| 51 | + 3. Click **Cancel** to discard changes. |
| 52 | + |
| 53 | + |
| 54 | +## Domain Limits |
| 55 | +There is no limit on the number of domains you can configure. Add as many domains and specific users as needed for your organization. |
| 56 | + |
| 57 | +## Error Messages |
| 58 | +When **SSO Domain Restrictions** are configured, any user attempting to log in from domains or email addresses that are **NOT** in the allowed list will see an `unauthorized` error during SSO login. |
| 59 | + |
| 60 | +## Supported SSO Login Options |
| 61 | +OpenObserve allows users to log in through the following Single Sign-On options, and domain restrictions apply to all of them: |
| 62 | + |
| 63 | +- GitHub |
| 64 | +- GitLab |
| 65 | +- Google |
| 66 | +- Microsoft |
| 67 | + |
| 68 | +Domain restrictions will be enforced when users attempt to log in using any of these SSO options. |
| 69 | + |
| 70 | +## Troubleshooting |
| 71 | +**Problem**: SSO Domain Restrictions menu not visible. <br> |
| 72 | +**Solution**: Verify you are in the `_meta` organization. <br> |
| 73 | + |
| 74 | +**Problem**: Changes not taking effect. <br> |
| 75 | +**Solution**: Ensure you clicked **Save Changes** and refresh the login page. <br> |
| 76 | + |
| 77 | + |
0 commit comments