Back to Main Menu

Authentication Options, SSO & Business Rules

Objective: Explain the options, business rules, application behaviour and user experience in regards to authentication.

Prerequisites: The clientAdmin user role is required in order to view and edit authentication options.

The Cloud Platform supports two methods of authentication;

 

  • Standard / Form Authentication
    • Username & password are managed by the Cloud Platform.

 

  • Single Sign On (SSO)
    • Users credentials are managed via your Identity Provider (such as Active Directory).
    • Users are redirected to Identity Provider for authentication at logon time.
    • If a user is logged on for the first time, the user is automatically assigned the User role (minimum permissions).
The following configurations are available and can be set by an Administrator (a user with the clientAdmin role) via the Cloud Platform (Admin > User Management > Identity Provider)
  • Standard authentication only 
  • Both Standard and SSO are available
  • SSO only

 

If a user has already been created in the Cloud Platform and then SSO is enabled, the user will be able to log in as normal if their email address in the Cloud Platform matches their username (email address) in the Identity Provider.

 

If SSO authentication only is set and a user is disabled in the Identity Provider, they will not be able to log into the system. Administrators are exempt from this as a safety measure to prevent accidental account lockout due to incorrect SSO authentication settings.

 

When the 'User must use SAML Authentication' option is enabled the following business rules apply;

  • Confirm email address routine should work as it is for non-admin users.
  • Confirm email address routine should work as it is for admin users. However, after the email has been confirmed, non-admin users should not be asked to set a password.
  • Admin users can continue to log in using username and password.
  • Admin users can continue to use proxy login.
  • Admin users can have password force set under User Management.
  • Admin users can have a password reset email triggered under User Management.
  • Non-Admin users cannot use username and password to log in.
  • Non-Admin users forget password action has no effect (i.e. the user can enter an email, but no email will be sent).
  • Admin users can't trigger password force set for Non-Admin users (should be disabled).
  • Admin users can't trigger password reset for Non-Admin users (should be disabled).
  • There is no need to clear existing password. (i.e. if the admin switch off this option, all users can continue to log in with their original passwords).
  • If Non-Admin users attempt to login using *any* password, the system should reject with an error message saying, "This user must log in via Single Sign-On".