Using CloudLink as IdP

I know it’s possible to configure SAML 2.0 integration for a CloudLink account with a 3rd party IdP such as Azure AD.

However, is it possible to support the reverse? For example, set up an external application for Single Sign-On (SSO) to CloudLink via SAML 2.0 where CloudLink is the IdP?

If so, how do you generate the SAML certificate?

Hi Jared - At this time, you can’t use CloudLink as an IdP for SAML based SSO. I will confirm, but I don’t think this is on the roadmap.

Now this is all just for fun and entirely theoretical, but I suppose you could build a pass through portal depending on what the other application is capable of. Let’s say this third party application (TPA) has a unique identifier called ‘EmployeeID’. You could create a User Tag called, “EmployeeID” and set the appropriate value for each of your CloudLink Users. You would then create a login portal that does this:

1. Prompts the user for their CL credentials
2. Uses the CL credentials to obtain a token from the Auth API
3. Uses the token to execute GET /accounts/{accountId}/users/{userId}/tags/EmployeeID, which returns that user’s EmployeeID for the TPA
4. The user is redirected to the TPA, and the EmployeeID is used in some fashion to log the user in.

This example is just to keep it simple, but you could use any kind of shared key that isn’t the “EmployeeID”. This also depends on the TPA being able to log a user in using that key. The caveat here is that this really isn’t a very secure way of handling SSO, since the values in those tags can be accessed by any user regardless of role…