Single Sign-On with STA
This page describes how to configure SafeNet Trusted Access (STA) as an IdP for use with SSO in CCC. Complete the steps on this page after completing the main SSO configuration procedure described in Single Sign-On.
The configuration steps described in this document are indicative and may vary based on tenant-specific settings, security policies, and enabled features.
Prerequisites
Ensure the following prerequisites are met before starting:
-
An active STA account
-
STA admin permissions to create applications for SSO integration and manage users, groups, and user attributes
-
An operational CCC instance with an admin user
-
User accounts available in STA for assignment to the CCC application
Configure STA
Log in to the STA console using administrator credentials.
Navigate to the Applications section from the top-right menu.
Click the + icon to add a new application.
Search for and select the Generic Template from the Add Application menu.
Configure the application by entering a display name, selecting OIDC as the integration protocol, and selecting Confidential as the access type.
After the application is created, review the configuration page displaying the Client ID, Client Secret, and Well-Known Configuration URL, then click Next Step.
Configure the OIDC settings by setting Authorization Code to client defined, enabling the Password Grant and Implicit options, leaving the UserInfo Signature Algorithm and Request Signature Algorithm at their default values (RSA-SHA256), and noting that the redirect URL will be provided later from CCC.
Review the default identity claims.
Add two custom identity claims named role and orgName, then save the configuration.
Assign users to the application by selecting either All users or Users from specific user groups, based on your requirements, and save the assignment.
Configure CCC
Log in to CCC using an admin account and begin the SSO configuration.
Navigate to Administration > Single Sign-On > Add SSO.
Enter the required SSO configuration values, including the SSO Display Name, Alias, Discovery URL (Well-Known Configuration URL from STA), Client ID, Client Secret, Role Claim Name, and Organization Claim Name (orgName).
After entering the Discovery URL, click Connect to validate the configuration and fetch the remaining endpoints.
Copy the generated redirect URI from CCC and update it in the STA application configuration.
Click Add SSO to save and activate the configuration.
Verify the SSO setup by confirming that the SSO entry appears in the SSO list and a new SSO login option appears on the CCC login screen.
Advanced STA Configuration – Users and Groups
Create STA user groups for CCC roles.
Navigate to Groups > Group Maintenance, click New, and create the ccc_admin (CCC admin role) and ccc_user (CCC application owner role) groups.
Create STA users by navigating to Groups > Create User, entering the required user details, and adding the user.
Assign users to groups.
Open the user profile, navigate to Group Membership, add the user to the appropriate group, and apply the changes.
Provision the user account by navigating to Authentication Methods, selecting Provision, choosing Password, and completing the provisioning process.
Set a temporary password for the user by navigating to Password, generating a temporary password, and assigning it to the user.
Configure the organization attribute for Application Owner users by setting the CCC organization name in the Custom #1 field, ensuring that the value exactly matches an organization already configured in CCC under Accounts > Organizations.
Activate the user account by completing the verification process from the email sent after provisioning, after which the account is ready for SSO login.
With these steps complete, the STA and CCC SSO integration is fully configured. Users can now authenticate to CCC using STA credentials.
