# Configuring Straatos for SSO

Once CumulusPro Support has configured the IdP, the straatos organisation can be configured to work with the IdP. For the IdP to work correctly, you will need to have a custom domain for the TaskUI configured.

Custom Domain Setup for TaskUI:

* Domain Options:

  * You can use a custom domain (example: app..com) or a domain provided by CumulusPro (example: .cumuluspro.net).

* DNS Configuration:

  * If you use your own domain, configure CNAME entries with your DNS provider to point to the designated CumulusPro server.

* SSL Certificate:
  * Provide an SSL Certificate for your custom domain to ensure secure connections.

CumulusPro will set up the whitelabel configuration for your application, providing the following critical information:

* Custom Policy Name:
  * You will receive a specific policy name tailored to your organizational requirements.
* Domain Name:
  * A domain name will be provided, which will be integral to your application's access and identity configurations.

{% hint style="info" %}
These options are required to configure and link the IdP to your Straatos organisation.
{% endhint %}

***

### **Configuring the Straatos organisation to work with your IdP**

1. Go to '<https://straatosv2-api-qa-eu.cumuluspro.net/swagger/index.html>'.

2. Navigate to the organisations API and select the 'PUT /IAM/Organisations/{id}' API.

3. Enter your organisations id.

4. In the body, enter the following details:
   1. ssoIdentityProvider:
      1. The value for the adIssuer is the one that is provided in the token claim. It should look like this:
         1. `https://login.microsoftonline.com//v2.0 where the should be the Directory (tenant) ID from your app registration.`
   2. ssoClientId:
      1. The GUID from the client application created above.
   3. ssoClientSecret:
      1. The Client Secret created in the client application above.
   4. ssoIdentityExperiencePolicy:
      1. Provided by CumulusPro and will look similar to this: B2C\_1A\_SIGNUP\_SIGNIN\_TEST.

5. Execute the API call.

***

### **Configuring the Straatos Groups to match the AD/Entra Groups**

The groups from Active Directory/Entra need to be linked with the groups from Straatos to enable automatic user management.

1. Goto `https://straatosv2-api-qa-eu.cumuluspro.net/swagger/index.html`.
2. Navigate to the organisations API and select the 'PUT /IAM/Groups/{id}' API.
3. Enter your Group Id for which you want to link it to the AD/Entra Group.
4. In the body, enter the 'ssoGroupGuid'. The value is the Entra/AD Group ID you want to link. (example: 'df48830e-bda7-45b0-b135-03abd3a79c93').
5. Execute the API call.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.cumuluspro.net/enterprise-single-sign-on/configuring-straatos-for-sso.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.