Single Sign on for Sub User Accounts
Single Sign On provides a convenient mechanism to authenticate your users to the Logiforms platform. Logiforms supports Single Sign for workflows and for sub-user accounts via SAML 2.0 and JIT (Just in Time Provisioning). This article explains the sub-user account SSO integration options. See SSO for workflows for information on how to authenticate users for workflow access.
Setting Up Single Sign On
Start by contacting your account manager to enable SSO on your account. Your account manager will provide the SP details you'll need to configure the Identity Provider. Once set up, provide your account manager with the IDP metadata or URL to where the metadata can be accessed.
Attributes provided by your IDP
The following attributes should be provided in the SAML response sent to Logiforms. These attributes are used to provision sub user accounts and assign groups and permissions:
Attribute | Description |
---|---|
firstname | The users first name |
lastname | The users last name |
group | The name or ID of the group that the user should be a member of. If not provided, or there is no match, the default group set within the Single Sign-on Settings is used. Group settings define the permissions for newly created users. |
usertype | This is either "formcreator" or "dataonly" and referrers to the type of user that will be created. If not provided, the default set within the Single Sign-on Settings is used. |
Configuring Single Sign-on Settings
Open My Account, click on the Security tab, and then click Single Sign On Settings. The window below will open:
Property | Details |
---|---|
Enable Single Sign On | This settings toggles SSO integration on and off |
Auto Redirect to Identity Provider | Upon entering an email on the login screen, if the domain matches your registered domain, the user will be redirected to the IDP. Note, admin uses will be able to continue to login directly. |
Do not Overwrite Group | Check this setting to not overwrite any group re-assignments done on the Logiforms end. This setting only applies to updates, when an existing subuser is found and updated. |
Enable Sub User Account Creation | When this settings is enabled, new sub user accounts are provisioned on the fly. The next two settings define some defaults for the new users |
Group Default | Select the group that new users will be automatically assigned to if the group attribute is not provided or does not match an existing group. |
Role Default | Select the type of subuser that will be created if the usertype attribute is not provided or does not match "formcreator" or "dataonly" |
Accessing Single Sign-On Logs
All single sign-on logins are logged, as well as information relating to JIT provisioning of accounts and attribute propagation. These logs can be accessed via My Account > Security > Single Sign-On Logs
0 Comments