In this article
- About SSO
- Claim-based Single Sign-On
- SSO authentication process
- Requirements for setting up a SSO integration
- Sign-in method for users without a SSO account
- Setting up a SSO integration
- Clearing a SSO integration
About SSO
Single Sign-On (SSO) enables a user to sign in once and access multiple applications and resources across different networks and domains. As an example, let's take the network/domain of a customer and assessmentQ. Typically, a user is authenticated in the customer's domain using, for example, Active Directory when logging on to his/her computer. This enables the user to access the different network resources (network shares, printers, webpage logins, ...) within the domain without requiring to re-enter his/her login credentials each time. assessmentQ also requires login credentials in order to gain access to the portal or the backoffice. However, since assessmentQ is not part of the customer's domain/network, the user needs to enter his/her credentials manually.
By setting up an SSO between assessmentQ and the customer's domain/network, users no longer need to enter their login credentials manually in order to get access to the assessmentQ portal and/or backoffice.
Single Sign-On is based around the principle of a trust relationship between assessmentQ (Service Provider/Relying Party) and the Identity Provider (IdP) of the customer. The identity provider offers user authentication as a service and acts on behalf of the customer. This authentication service can then be used by assessmentQ. A high level overview of the SSO principle is depicted in the diagram below.
Claim-based Single Sign-On
Claims-based identity is a common way for applications to acquire the identity information they need about users inside their own or another organization/network/domain.
A claim is a statement that one subject, such as a person or organization, makes about itself or another subject. For example, the statement can be about a name, e-mail address, group, date of birth, ... It is the responsibility of the Identity Provider to provide the necessary claims.
With respect to the SSO integration between assessmentQ and the customer's Identity Provider, the following claims are mandatory:
- NameId or Sub (unique identifier for a user, e.g. User-Principal-Name)
- First name
- Last name
Optional claims are:
- User name
This field can be used for the personal reference number of a user within the organization/company. If this claim is omitted, the e-mail address will be used. - Televic group membership
It is highly recommended to also provide the 'Televic group membership' claim as this facilitates the creation and scheduling of assessmentQ assignments for specific target groups. This is important as users will only be known in assessmentQ after their first login. - Date of birth
- User language
Warning: No password is set. Users who sign in via SSO cannot use the sign-in method via e-mail and password.
SSO authentication process
In the case of a SSO integration, the Identity Provider and Service Provider (assessmentQ) actually do not communicate directly with each other, but rely on the client browser's redirection (using standard HTTP GET and POST messages). Hence, the SSO authentication process can be explained in more details in the picture below:
- The user is authenticated in the domain of the customer and navigates to the assessmentQ portal or backoffice.
- assessmentQ is configured with a SSO integration for the domain of the customer. As such, assessmentQ needs to now the URL for the IdP of the customer.
-
If the user is not yet authenticated, he/she gets the possibility to login with his/her customer domain credentials.
- The Identity Provider verifies the user's authentication and issues a token (with proper claims) back to the client.
- The browser is redirected to assessmentQ and uses the token for authentication.
- assessmentQ accepts the token (and corresponding claims) and the user is automatically logged in to assessmentQ.
Note: In this case we assume a passive SSO coupling. In case of an active SSO coupling, there is direct communication between the Service Provider and the Identity Provider.
Requirements for setting up an SSO integration
With respect to setting up the SSO, the customer takes the role of the Identity Provider (IdP) and Televic Education takes the role of the Service Provider (SP).
Televic Education makes use of Identity Server 4 for authenticating its users for all products.
The IdP must support one of the following protocols:
- OpenID Connect (e.g. IdentityServer)
- WS-Federation (e.g. ADFS)
The IdP must provide the following claims:
- NameId or Sub (unique identifier for a user, e.g. User-Principal-Name)
- First name
- Last name
- User name (personal reference number of user; if not available copy of the e-mail address)
The IdP should provide the following claim(s):
- Televic group membership
The IdP may provide the following claims:
- Date of birth
- User language
Sign-in method for users without a SSO account
If you want your assessmentQ environment to be accessible both to users who have an account in your domain/network as well as to external users who do not have an account in your domain/network, you can activate the sign-in method with email and password:
- External users will only be able to sign in via the assessmentQ credentials (e-mail and password).
- Users who have an account in your domain can only sign in via your domain/network account. They cannot retrieve their assessmentQ password nor set their password via their profile.
Setting up a SSO integration
Proceed as follows to set up a SSO integration with your assessmentQ environment:
- In the Settings module, open the Integrations submodule and click on Single Sign-On.
- Click the Configure button.
Result: The Configure Single Sign-On popup is shown. - Select the Identity provider of your choice.
- Complete the configuration settings. More information, see the ADFS or the OIDC Set-up guide.
- Click Save.
Result: The Single Sign-On configuration page is shown. Users entering the URL of your assessmentQ environment (<domain>.assessmentq.com) will automatically be signed in provided they are logged on to your domain/network, else they are redirected to the sign-in page of your domain/network. - If you also want external users without an account in your domain/network to have access to your assessmentQ environment:
- Click Allow users without an SSO account to sign in with their e-mail address and password.
- If you want to change the SSO button, upload the logo of your choice.
Notes:
- If you are interested in a SSO integration with assessmentQ, please contact Televic Education via http://support.televic-education.com.
Clearing a SSO configuration
Proceed as follows to clear the SSO configuration for your assessmentQ environment:
- In the Settings module, open the Integrations submodule and click on Single Sign-On.
- Click the Clear configuration button.
Result: The SSO configuration is removed. All users will have to log on via e-mail address and password.
Warning: No password is stored in assessmentQ for users with a SSO account. As a result, when the SSO configuration is disabled, these users can no longer sign in. Contact the assessmentQ help desk via http://support.televic-education.com in case you need support or guidance.
More information