FeaturesSupportHomeNew Releases

Enterprise Single Sign-On (SSO)

FlytBase supports Enterprise Single Sign-On (SSO), allowing organizations to integrate their existing Identity Provider (IdP) — such as Azure Active Directory, Okta, or Ping Identity — to authenticate users.

This feature is designed for enterprises operating drone-in-a-box systems at scale, where security and compliance are critical. By connecting your IdP, you can centralize authentication, enforce existing corporate security policies, and simplify user onboarding without creating separate FlytBase credentials.

How It Works

FlytBase implements OAuth 2.0 with OpenID Connect (OIDC) as the authentication standard. When a user attempts to log in:

  1. FlytBase redirects the login request to your IdP.

  2. The IdP validates the user’s identity (including MFA, password policies, or conditional access rules).

  3. On successful authentication, the IdP issues tokens back to FlytBase.

  4. FlytBase validates these tokens using the IdP’s JWKS (JSON Web Key Set) and grants access.

This flow ensures that FlytBase never handles your users’ passwords directly.

Supported Standards

  • Protocol: OAuth 2.0 + OIDC

  • Flows: Authorization Code Flow (with PKCE support)

  • Scopes: openid, profile, email

  • Encryption: TLS 1.2+ enforced on all connection

Configuration Steps

Step 1 — Register FlytBase in Your IdP

  • In your IdP console (Azure AD, Okta, etc.), create a new application/client.

  • Select OIDC / OAuth 2.0 as the authentication protocol.

  • Add the Redirect URI provided by FlytBase (example: https://<org>.flytbase.com/auth/callback).

  • Grant the following scopes: openid, profile, email.

Step 2 — Share IdP Details with FlytBase

Your IT team must provide the following to your FlytBase technical lead:

  • Authorization Endpoint URL

  • Token Endpoint URL

  • JWKS Endpoint URL

  • Client ID and Client Secret

Step 3 — FlytBase Configuration

The FlytBase team will configure your organization with the provided IdP metadata.

Step 4 — Validate Integration

  • Test login flow in staging.

  • Confirm token exchange and user identity mapping.

  • Once successful, deploy to production.

User Mapping and Roles

  • If an existing FlytBase account email matches the IdP email, the user is automatically linked — no data loss.

  • New users are created on first login (Just-In-Time provisioning).

  • Roles (Admin, Operator, Viewer) continue to be managed in FlytBase using Role-Based Access Control (RBAC).

Deployment Considerations

  • Cloud: Works out-of-the-box.

  • On-Prem: Requires connectivity between the FlytBase server and IdP endpoints.

  • Air-Gapped: Supported with pre-shared IdP metadata and offline validation; consult FlytBase Support.

Troubleshooting

  • Redirect URI mismatch → Ensure URIs match exactly in IdP and FlytBase.

  • Invalid scope error → Confirm openid, profile, and email are granted.

  • Token validation failure → Verify JWKS endpoint is reachable.

  • User not found → Check if the user’s email in IdP matches their FlytBase profile.

System logs for authentication attempts can be reviewed under Admin Console → System Logs → Authentication Events.

PreviousCreating a FlytBase ProfileNextCreating an Organization

Last updated

Was this helpful?