.png){kind=logo}
A Domain defines how a group of users authenticates to Signum. Each Domain has a type, SAML2, OAuth2, Local Users, or Certificate Users, that determines the authentication mechanism and which parts of Signum those users can access.
Multiple Domains can be active at the same time. For example, you might configure a SAML2 Domain for developers who log in interactively through your IdP, and a separate Certificate Users Domain for unattended build agents that authenticate with a client certificate.
Domain Compatibility
Not all domain types work with all parts of Signum. The table below shows which domain types are supported for each access point:
|
Domain Type |
Web Admin Console |
Windows Agent (attended) |
Windows Agent (unattended) |
Linux Agent |
macOS Agent |
|---|---|---|---|---|---|
|
SAML |
|
|
|
|
|
|
OAuth |
|
|
|
|
|
|
Local Users (username/password) |
|
|
|
|
|
|
Certificate Users |
|
|
|
|
|
Create a Domain
To create a new domain:
-
In the Admin Web Console, navigate to Access > Domains.
-
Click New. The domain creation window appears.
-
Configure the following options:
|
Option |
Description |
|---|---|
|
Domain Alias |
The identifier users enter when logging in to reference this domain. For Local Users domains, users log in as |
|
Domain Type |
The authentication method for this domain. Select from SAML2, OAuth2, Local Users (Username & Password), or Certificate Users. |
|
Concurrency Per User |
When enabled, allows a single user to be authenticated into multiple agent sessions simultaneously. Useful for service accounts running parallel build pipelines. |
|
User Limit |
The maximum number of users that can be configured in this domain. |
-
Click Submit to create the domain. Depending on the domain type selected, additional configuration options appear.
Domain Types
-
SAML2 Domain: Authenticate users via a SAML2 Identity Provider such as Azure AD, Okta, or Entra ID.
-
OAuth2 Domain: Authenticate users via an OAuth2 / OpenID Connect provider.
-
Local Users Domain: Manage users with username and password credentials stored in Signum.
-
Certificate User Domain: Authenticate users using a client certificate, typically for unattended agents and CI/CD pipelines.
User Groups
User groups are not created in Signum but come from your Identity Provider. When a user authenticates via a SAML2 or OAuth2 domain, the IdP includes their group memberships in the assertion or token. Signum reads these groups and makes them available for role assignment, so you can assign a Signum role to an entire IdP group rather than to individual users one by one.
Local Users and Certificate Users domains have one default group. The default group includes all users in the domain.
For example, if your organization has an Azure AD group called signing-admins, you can assign the Signum Administrator role to that group. Every member of signing-admins automatically gets the Administrator role in Signum when they log in, without needing individual role assignments. For more information, see Roles.
For Signum to receive group membership, your IdP must be configured to include group claims in the SAML assertion or OAuth token. The attribute name for groups must match the Groups field in your domain's attribute mapping configuration. See SAML2 Domain or OAuth2 Domain for details.