Setting up SSO
SSO (Single-Sign-On) lets users login with accounts in other systems. While ordinarily users login using a username, password and the login button, and this is then authenticated based on the user database in your system, or through Active Directory. With SSO, you can also provide users a "Sign In With Google" button. And not just Google, but Office 365 and a number of other providers including Okta.
This SSO features makes use of technology you may hear referred to as OAuth or OpenID Connect.
OpenID Connect lets our platform's users login using a variety of third-party authentication systems. In this section we'll go over setting up an OpenID Connect service for use in our platform.
The cloud system provides SSO for Google accounts automatically. However if you need to add SSO connectivity for another service, you can find some help with that here.
Important: Setting up SSO can be a technically complex process. There is a limit to how much support we can provide for setting up SSO, as some of it (such as permissioning set up and payments etc. with the vendor) will be out of our hands or beyond the scope of what we're able to support.
Setting Up Users
By default, users must be configured in the system before they will be able to login using a third party system. The first time a user logs in, the email addresses must match between the user defined in your account and the email address defined in the third party system.
If you want users to be signed-up automatically, you must create a user called template. This user will contain the default roles / settings that will be copied into any new user who attempts to sign in using that third party system.
If there is no template user, and no user can be found that matches the email address, then the user will not be able to login to your system.
Adding Web Services
Every "Sign In Using..." button will need a separate entry in the Web Services list under Configuration.
Start by logging in as an admin user, then go to the Configuration tab, and click "Web Services". Click "+" to add a new Web Service, and provide a name such as Microsoft. Make sure that For Login is set to Yes.
The remainder of the settings will be provided by the third-party system you are using for authentication. We'll provide help for a couple of common systems: Microsoft and Google. Click the link to take you to the specifics of that section.
Please note: once a user has logged in with SSO, their ability to login with a password will be disabled for security reasons. If you need to reset a user so they can login with a password again, please contact us.
SSO Only?
If you want users to only log in through SSO, please set the "Login SSO Only" setting in the Configuration Tab / Authentication Options area. If you do this, then only the SSO button(s) will be visible in the login page. There will be a link, however, to expand a hidden username and password login field. This may be needed to use the system admin login (to fix issues with SSO, for example).