The Single Sign-On technology in bpm’online enables the use of a single user account to log in to multiple services. After signing in once via an identity provider, users can access their applications and services without the need to enter their login credentials. When the user signs out in any of the applications, sessions of all other connected applications end as well.
Single Sign-On advantages:
Better security with less passwords for users to memorize.
Faster authentication in multiple services.
Easier administration of user accounts.
Easier implementation process for security technologies due to the use of a single identity provider throughout all operating systems and devices.
Bpm’online supports the SAML 2.0 protocol, therefore any identity provider that uses this protocol is compatible.
Single Sign-On identification is supported by mobile devices running iOS and Android.
Single Sign-On, SSO – access control technology based on using a single resource for user authentication. This technology includes Single Sign-On, Single Sign-Off (Single Log Out) and Just-In-Time Provisioning methods.
Single Sign-Off (Single Log Out) – a reverse method that restricts user’s access to services after a single log out operation on any of them.
Just-In-Time Provisioning – an automatic registration of user accounts in an application if no accounts exist for an authorized user.
Identity provider – a service that verifies user authenticity based on a contact directory or a response from a specific service. Bpm’online supports the SAML 2.0 protocol, therefore any identity provider that uses this protocol is compatible.
Service Provider – a service or a system accessed by the user.
Resource – the information that the user requests from the service provider.
User Agent – a user environment, browser or any other client application on the user’s device.
Authentication – the process of verifying user’s identity.
Authorization – the process of verifying permissions to perform an action or an operation.
Federated SSO – an authentication system where the service provider redirects users to the identity provider without receiving any user data.
The following examples demonstrate the benefits of using the Single Sign-On technology:
Automatically creating a user account on first login
If a user has an account within the corporate domain, there is no need to create a new account for each resource used in the company. The user only needs to enter their universal account credentials and:
If there is a user with the same login in the domain, bpm’online will create a contact and an account for the new user.
Contact data will be filled according to the [SAML field name converters to contact field name] lookup settings. The created record can be viewed in the [Contacts] section.
A new account will obtain organizational and functional roles that are similar to its domain roles. The created record can be viewed in the users and roles management section.
Automatic user creation is configured after the Single Sign-On setup and can be disabled.
Logging in on several resources
When you authenticate in one of the identity provider resources, the authentication to other provider resources will be automatic. The user does not need to enter their login and password to sign in to other applications.
Logging out from all resources
All resources and applications will receive a request to end your current session after you exit one of the resources. All resources and applications will log out the corresponding user.
To set up Single Sign-On:
1.Set up the identity provider by adding bpm’online to trusted websites.
2.Set up the trusted identify provider in bpm’online. Optionally, select the default identity provider.
1.A bpm’online website, available by https and administrator privileges on the website.
A bpm’online setup for https protocol is described in thearticle.
2.Administrator privileges on the identity provider.
3.Users in the corporate domain.
Bpm’online can integrate with any identity provider that supports theprotocol. This guide contains instructions on how to set up SSO with two popular identity providers: ADFS and OneLogin.