What is SSO?
SSO (Single sign-on) allows members of an organization to use a single ID and password to gain access to their Beautiful.ai account using the Identity Provider (IdP or SP).
How does SSO work?
With Single sign-on, when you try to log in the account is required to be authenticated before access is granted.
Strict SSO
When an organization has its SSO set as Strict, then, its members are only allowed to log in using the Identity Provider, (IdP or SP). They’re not allowed to log in using email/password or Google.
-
-
Upon login, it will show “Login with Single Sign On” button only.
-
Non Strict SSO
If SOO is set as Non Strict, users within the organization can use both, SSO and login/password/google.
-
-
Both of the conventional “login” and “Google” buttons will be shown on the B.AI log in page.
-
Enabling SSO
To enable SSO in Beautiful.ai, click on Profile and from the Advanced tab, select Enable SSO.
Verify your domain and follow the steps below for IdP or SP initiated flows
To complete the SAML SSO setup, the owner may enter the IDP Metadata URL to fill the SAML SSO Endpoint and Issuer URL sections automatically or they can manually insert the info for those two items.
-
IDP Metadata URL: Entering this URL will automatically fill out the next two fields. If they don’t have this they can skip and manually enter the information in the following fields.
-
SAML SSO Endpoint: This is the URL we will redirect their users to when they try to log in via Beautiful.ai instead of their Identity Provider.
-
Issuer URL: This is the unique identifier of their Identity Provider. We use this to validate that the SAML assertions we receive are issues from their identity provider.
You also have the option to turn ON > Allow IDP Initiated Flow or Enforce Strict SSO.
-
Allow IDP Initiated Flow: Enabling IdP-initiated access will allow users to log into Beautiful.ai via their identity providers' application portal. Disabling access will only allow SP (Service Provider) initiated access (i.e. users will have to start their authentication process at beautiful.ai/login)
-
Enforce Strict SSO: With Strict SSO enabled, users will be required to log in with SSO. With Strict SSO disabled, users will be able to login with both SSO and email/password. Please note if there are users that have been using B.AI prior to SSO, they will be locked out if they don’t have access provisioned in their IdP’s platform. We recommend keeping the Strict SSO option disabled first and testing SSO functionality before enabling this setting.
IdP - Identity Provider Initiated Flow
With IdP login, members of the organization must log in to their IdP SSO page (e.g. OKTA, One Login, Active Directory) in order to gain access to the account.
Steps:
You may start at Step 1 or Step 3
-
Once the login option is selected, it'll automatically check to see whether the account email has already been authenticated (i.e. checks to see if you were logged into OKTA, One login, Active Directory). If so, you gain access to the site.
-
If you haven’t, you're re-directed to the Identity Provider to log in. It'll verify the account username and password against the information in its user database.
-
You start at one of the Identity Provider and use the single username/password associated with your company.
-
The SSO solution passes authentication data to the website. Some IdP will require you to click on an icon.
-
After login, the site passes authentication verification data to the website and the account gains access to the site.
SP - Service Provider Initiated Flow:
With SP login, members of the organization log into their account and an authorization request is sent to the Identity Provider; such as OKTA, One Login, Active Directory. Once IdP authenticates and verifies the member’s identity, the user is automatically logged into their account.
Steps:
-
Once SSO has been enabled, upon entering an email address, it will detect if the account's organization has SSO. If so, the password field will disappear from the window and the “LogIn with Single Sign On” button will appear.
-
If the account has already been authenticated with the Identity Provider you will gain access to the site.
-
If the account hasn't been authenticated, you will be redirected to the Identity Provider page to verify your username and password.
-
Once the SSO solution passes authentication data to the website the account gains access to the site.
User Provisioning are additional SSO settings that may be turned ON/OFF.
-
Allow JIT Provisioning: Just-in-Time (JIT) provisioning is an automated process that creates user accounts when they log in for the first time to an application. JIT provisioning works by setting up Single Sign-On (SSO) between the target service and the identity provider. The identity provider then sends user information to the web application using the Security Assertion Markup Language (SAML) protocol. When a new user logs in, the information is passed from the identity provider to the app, which then creates the user account.
-
Enable SCIM Provisioning: Enabling System for Cross-domain Identity Management (SCIM) provisioning on an app allows it to automate the exchange of user identities between cloud-based services and apps. SCIM provisioning automates access to applications and services, which can reduce the need for manual account creation and maintenance.
Comments
0 comments
Please sign in to leave a comment.