Managing Single Sign-On (SSO)
Enabling SSO allows company and global-level administrators to manage the third-party sign-in/sign-up processes. These are handled by "SAML providers". Each SAML provider handles a specific domain and if anyone attempts to sign into MyRBQM® portal using an email from that domain, they will be redirected to the third-party sign-in/sign-up page, the end result of which will inform our system what should happen to this user next.
The Company Management section of the Configuration Hub provides a section to manage SAML providers:
To create a new SAML provider (only for Global Administrators):
The domains are globally exclusive, so if the “abc.com” domain were created for one company, no other company can have this domain handled by their SAML provider. An attempt to create such a provider would return an error.
A newly created SAML provider will have the specified domain. It will be disabled, have default settings, will have the auto-provision setting turned off, and its list of ignored emails will be populated by all the email addresses of the company-level administrators of this company that come from the specified domain.
Individual SAML Provider List Element
Each of the SAML providers is presented in the list as a “box”. The border and the background of that box are dependent on whether the SAML provider is enabled or not: the border is dashed and the background is gray if the SAML provider is disabled.
Inside this “box”, there are several elements that display and control the following parameters of the SAML provider:
- Domain
- Status (enabled/disabled)
- Settings
- Auto-provision of the new users
- The list of ignored emails.
Additionally, each SAML provider has a link that is displayed as the “SAML sign-in link”, which is generated from the URL of our system and the domain. This link can be used by third-party users (or integrated in their system), in order bypass the Cyntegrity login screen entirely.
Domain
The field that displays the domain handled by this SAML provider is non-editable (read-only). If the domain needs to be changed, this SAML provider should be removed and a new one should be created instead with the desired domain.
Enabling/Disabling a SAML Provider
Each SAML provider can be either enabled or disabled. A disabled SAML provider does not redirect the users attempting to sign in.
When the SAML provider is first created, it is disabled. It can be enabled via the Enable button, and an enabled provider, conversely, can be disabled via the Disable button. Both of these actions require the user to confirm their action in the pop-up that opens.
Settings
A SAML provider is configured via the contents of the “SAML settings” text-area. In it, the configuration should be presented in a JSON format. MyRBQM only supports this in this format "identifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
When a new SAML provider is created, its settings are pre-set to this:
Generating SAML Settings from Metadata
The SAML settings can be generated from metadata. Not all settings can be generated by metadata, so this is an optional initial step before manual configuration. To do this, the user should click on the Generate from metadata button. This will open a pop-up with a text-area into which the user can paste the metadata in the XML format.
After the user clicks the Generate SAML settings from this metadata button in this pop-up, our system will attempt to parse the contents of that text-area and generate the SAML settings accordingly. The specific algorithm that does that is too complex to be described here in detail. The “SAML settings” text area’s content will be replaced by the generated settings, so the user will have to save them manually after this.
Auto-provision
The Automatically provision new users checkbox defines what happens when someone tries to sign in to our system as an email from the domain handled by this SAML provider, but with an email that is not registered in our database. If it is not checked, the sign-in process should fail. If it is checked, a new user should be created in our system for this email. By default, this checkbox is not checked.
Checking or unchecking this checkbox prompts the user to confirm this action by opening a pop-up. Disabling the auto-provision will not remove the users that were automatically created for this company before.
The list of ignored emails
Each SAML provider has a text-area where the specific email addresses that should not be handled by it, despite belonging to its domain, can be listed. For example, if a SAML provider handles the “abc.com” domain, but has the “test@abc.com” in this list, the user attempting to sign in to our system using this email will not be redirected to the third party sign-in/sign-up process, instead, our default sign-in process will be used.
Only the emails belonging to the domain that is handled by this SAML provider are accepted in the list, attempting to put any other email will not allow the user to save the list, highlight the text area in red, and notify the user about the problem.
Allow Login and SSO
Allow Login settings are also presented in SSO “Automatically provision new users”.
If “Automatically provision new users” is switched on (as shown in the pic below) the company administrator can set up “Allow Login” parameter.
By default “Allow Login” is False.