Single Sign-On FAQ
This information applies to SwaggerHub On-Premise. For SwaggerHub SaaS, click here.
Which identity providers does SwaggerHub On-Premise support for single sign-on?
SwaggerHub On-Premise currently supports:
Okta
Active Directory
OpenLDAP (since SwaggerHub On-Premise 1.18.8)
GitHub
If you are considering another identity provider, please contact SmartBear Support.
Do I need to create the users in SwaggerHub beforehand?
No. SwaggerHub supports just-in-time user provisioning, which means the users will be created in SwaggerHub automatically the first time they log in via SSO.
Can SSO help limit the users who can access SwaggerHub and consume a license?
If you use LDAP – SwaggerHub On-Premise 1.18.0 and later allow you to limit access to specific LDAP user groups.
If you use SAML, this depends on your identity provider (IdP). Some IdPs (like Okta) let you limit application access to specific users and groups. Check with your IdP to learn if it supports this.
Can SSO control user roles inside SwaggerHub (such as view-only access to a specific API definition)?
Not at this time.
Does SSO for SwaggerHub support SCIM?
Not at this time.
What happens to existing users, user permissions and API definitions if we migrate from internal authentication to SSO or vice versa?
All the users, user permissions and data are preserved. However, you may need to migrate existing users to SSO or to internal authentication.
If migrating from internal authentication to SSO:
Make sure the existing users (including the admin user) have the same email addresses as in your IdP. If needed, ask the users to update their email addresses in SwaggerHub to match their IdP email addresses.
In versions prior to 1.20.1, after you enable SSO, you need to run a maintenance script to migrate the existing users to SSO. Internal users that have not been migrated will become inactive. They will not be able to access SwaggerHub and will not count towards the license user limit. Their APIs and domains are preserved though and can be used by other users.
Note
In later versions, the existing users are migrated to SSO automatically.
If migrating from SSO to internal authentication:
Each user will have to set a SwaggerHub password by using the Forgot Login Info? link on the SwaggerHub login page. Then the users can continue accessing SwaggerHub by using their username and password.
Can we change the SAML identity provider used with SwaggerHub?
Yes, as long as the users keep the same email address, they will be able to access their existing accounts. However, if a user has a different email address in the new IdP, a new user account will be created in SwaggerHub.
Is it possible to remove SSO users from SwaggerHub? For example, if a user was removed from the SSO provider.
This is possible in SwaggerHub On-Premise 1.18.4 and later – an administrator can delete registered users on the License page of the Admin Center. If you use an earlier version, consider upgrading, or contact SmartBear Support for assistance in removing SSO users.
How do I use the SwaggerHub API when SSO is enabled?
SwaggerHub Registry API uses API keys for authentication, it does not use SSO. The API does not care which authentication type your SwaggerHub instance uses. Users can get API keys in their user settings in SwaggerHub.