SSO Integration Mode
Overview:
This mode is configured in the backend and will need an IT Representative from the client/tenant side that is capable of configuring SSO Integration from their system. This is achieved by connecting Sprout’s Identity Provider system to the external identity provider via open standards such as SAML2.0 or OpenID Connect/OAuth2.0.
The SSO Integration Activity involves setting up App or Client Registrations on the host Identity Provider, handing over SAML metadata or OpenID Settings, authentication keys (client Id, secret) and other recommended configuration. Sprout will provide a guide for the existing integration that were previously done before (eg. OKTA - SAML Based and Active Directory - OpenIDConnect based), but if the external identity provider is a new one, figuring out the SSO Integration settings will be a joint responsibility of the IT Representative of the tenant/client and Sprout.
Under this mode, we can allow alternative approach of login via the client’s external system:
In the screenshot above, we are allowing sign-in via the Azure Active Directory account of Sprout upon trying to access Sprout HR. The system can be configured to automatically redirect login to the external identity provider.
Account Linking:
Under SSO Integration mode, the User Account in Sprout needs to be linked to the User Account in the external identity provider. In most cases, account linking only needs to be done once during the first login.
There are 3 ways to configure account linking
-
Option 1: Account Linking via email verification (recommended)
- The system can detect if the user accounts have the same email address.
-
- The user must confirm the linking after email verification
-
Option 2: Account linking via re-authentication
- This is an option if the client does not want the Users to confirm account linking via email verification. This is not a recommended method because executing this would require sharing of re-authentication password directly to Users if they do not have official work emails to trigger a reset password journey.
- In this configuration, the system will detect that both User Accounts (Sprout’s & the external identity provider) have the same username.
-
- Afterward, the user will need to re-authenticate to confirm the account linking.
-
Option 3: Direct Account linking via Sprout Support
- In this option, a file containing the mapping of the user identifier in the IDP side towards the Sprout Account must be provided so that Sprout’s Support team can link the accounts directly on our end. The user identifier differs based on the protocol and tool used, but for example in Active Directory via SAML2.0 - the user identifier is the User Principal Name (UPN)
For SSO Integration, clients might have some specific requirements for login flow. Login Flow can be configured by Sprout to an extent but it would be best that the client describes the expected login flow so that Sprout can check if it is feasible with configuration.Detailed steps for account linking
Direct Login to Sprout even when SSO Integration Mode is activated:
Under SSO Integration Mode, Sprout can enable login directly to Sprout especially for emergency situations that require administrative actions.
However, this login flow will apply to all users. There is no way to change the login flow per user since it precedes user authentication. There is also only 1 login URL per Sprout Application and a custom login page with a different URL will not be provided by Sprout under SSO Mode by default and will be considered a custom requirement subject to additional cost.
Related Article:
Comments
0 comments
Article is closed for comments.