This week we made a couple of small but important improvements related to SSO (Single Sign-on) integration.
Let’s check what’s new.
Test Mode
First, we changed Single Sign-on option from Enabled/Disabled checkbox to a tri-state radio, adding Test Mode.
When Single Sign-on is enabled all users are routed to Identity Provider (IdP) to complete login process. However setting up the integration is multi-step process. You may need to tweak some options on both TeamDesk and IdP without letting regular login process to break. That’s where Test Mode kicks in. When Test Mode is selected, regular login process remains intact. But you can make a test run through identity provider by navigating to Login URL link. We recommend to do it in Private/Incognito browser window for clean results.
Service Provider URLs
As a part of initial setup both Identity Provider and Service Provider exchange with metadata documents containing all the settings needed for integration. All the IdPs we’ve seen so far provide their own settings as metadata documents, but some of them are unable to import metadata documents from Service Providers. Usually you have to fill in necessary data in a sort of setup form. To help dealing with such providers we are now displaying bare minimum of information needed to setup the integration. That is Entity ID, Login/ACS URL, Logout URL and a public key that IdP needs to verify logout request’s signature.
IdP Logins
Last, we added an option to allow IdP-initiated logins. Normally, service provider initiates the login process and redirects the user to IdP. Then SP waits for authentication result. However one identity provider can potentially work with many services. Some IdPs present the user with a dashboard where the user selects the service to login to. Here is one that Okta displays:
However, user’s convenience is added at the cost of security, so, use with caution.
Next week we’ll publish a series of articles describing the integration with leading identity providers.
That’s all for today. Stay tuned.