UPDATE: Critical changes have arrived with SSO on the web. Please review this article for more information - Enhanced Security Settings for SSO on Web – Support (ecompliance.com)
Table of Contents
1. SSO Introduction
2. SSO Support for eCompliance
3. SSO Setup
4. Systemic Changes After Enablement
1. SSO Introduction
What is SSO?
Single Sign-On (SSO) is a service that allows users to log into various tools with one secure login.
For example, a user would log into their SSO IdP, and they can connect eCompliance to their IdP dashboard. By clicking on their eCompliance app inside the dashboard, they can access the application without logging into the app directly.
What can we expect from leveraging SSO?
Enterprise customers value SSO as it supports:
-
Enhanced Security:
-
SSO systems typically use strong authentication methods and centralized identity management, reducing the risk of weak or compromised passwords.
-
Centralized control over user access and authentication policies helps enterprises enforce security measures consistently across various applications.
-
-
Reduced Password Fatigue:
-
With SSO, users only need to log in once to gain access to multiple applications and services. This reduces the number of passwords users must remember, leading to better password hygiene and reducing the likelihood of password-related security issues.
-
-
Improved User Experience:
-
SSO provides a seamless and user-friendly experience; users don't have to remember and enter credentials multiple times.
-
It simplifies the login process, saving time and reducing frustration for employees who use various applications throughout their workday.
-
-
Streamlined Access Management:
-
Centralized identity management allows IT administrators to easily provision and de-provision user access to applications, making onboarding and offboarding more efficient.
-
Changes to user permissions and access rights can be applied consistently across all connected applications.
-
-
Compliance and Auditing:
-
SSO solutions often include robust auditing and reporting features. This helps organizations maintain compliance with regulatory requirements by tracking user access and authentication events.
-
Centralized control makes it easier to demonstrate and audit who has access to what systems and when.
-
-
Cost Savings:
-
SSO can save costs by reducing helpdesk calls related to password reset and account lockouts. Users are less likely to forget passwords or encounter login issues with SSO in place.
-
Streamlining access management processes can also contribute to operational efficiency and cost-effectiveness.
-
-
Integration with Enterprise Systems:
-
SSO systems can integrate seamlessly with other enterprise systems, such as directory services, identity providers, and access control mechanisms, creating a cohesive and interoperable security infrastructure.
-
-
Mobile and Remote Access:
-
SSO facilitates secure access to applications from various devices and locations, supporting modern work environments' increasingly mobile and remote nature.
-
How does SSO differ from Multi-Factor Authentication (MFA)?
SSO makes it easy to access different tools with one login, similar to a master key for multiple doors.
MFA adds an extra security step on top of your password, such as needing a special handshake and key to enter a secret club.
Combining SSO and MFA can create a secure yet convenient authentication experience, where you log in once (SSO) and then prove it's you with an additional layer of security (MFA) when needed.
Some common MFA methods include:
-
One-time code via text message or email to enter during the login process
-
Time-sensitive codes via an authenticator app
-
Push notifications to a registered device
-
Answering predefined security questions during the login process
What is the difference between IdP and SP-initiated SSO?
There are two types of SSO
Identity Provider (IdP):
-
An IdP authenticates users and provides identity information to other parties (Service Providers).
-
It performs user authentication and, upon successful authentication, issues a token or assertion containing user identity information.
-
Common identity protocols used by IdPs include Security Assertion Markup Language (SAML), OpenID Connect, and OAuth.
Service Provider (SP):
-
An SP system or application relies on an external IdP to authenticate users.
-
The SP trusts the information the IdP provides and uses it to grant access to resources or services.
-
SPs typically consume tokens or assertions issued by the IdP to make access control decisions.
The user experience for both:
SP SSO: The Manager creates an account for the user in their SSO tool and connects their tool to eCompliance. When the user logs in and enters their details, the SSO tool opens; they log into their SSO and are then directed into eCompliance.
IdP SSO: Same process as above; however, the user opens the SSO tool and selects eCompliance here. They open eCompliance directly from inside their SSO tool.
2. SSO Support for eCompliance
**How do our SSO features compare to other/common SSO offerings?
- We don't support 'Just In Time' user provisioning. This means a user must follow the verification steps to create an account on eCompliance before linking it to their SSO tool. The SSO and eCompliance accounts must be set up before SSO can be used.
- Having SSO enabled will still allow users to log in to the eCompliance app through the eCompliance app itself. Setting up SSO with eCompliance does not prevent a user from using other login methods.
** If my Customer Success Manager disables SSO, my organization's account, will users at my organization be locked out?
No, the users will not be locked out. eCompliance users who use SSO for login authentication can still use the app directly while SSO is disabled or enabled.
Does EcoOnline have any formal partnerships with the recommended third-party providers?
EcoOnline has no formal partnership with Okta or Microsoft Azure for SSO. However, we can reach out to these teams for support if required.
What is the difference between SSO provided by a third party vs. EcoID?
EcoID is EcoOnline’s tool to provide SSO and MFA, along with other features, to our customers. Rather than relying on third-party tools such as Okta or Azure, EcoOnline customers can use EcoID for their SSO needs in the future when available.
Which types of SSO services does eCompliance support?
Web SSO: IdP and SP initiated
Mobile SSO: SP initiated
What is the difference between web and mobile SSO?
Web SSO is used to log into the eCompliance web app (my.ecompliance.com.) This is also for responsive web (accessing the website on a mobile browser).
Mobile SSO is used to log into the eCompliance mobile app.
How do we triage SSO from an initial support queue request?
SSO requests sent to our team are triaged following the same process as other support requests. The support team will triage the request, and our product and engineering teams will support customers by addressing their concerns.
What common errors should I expect, and how can I self-troubleshoot these issues?
- "Could not log in. Invalid credentials."
Ensure that the credentials added to the app setting in your SSO page match the credentials for the account on eCompliance.
- "The server was unable to process your request."
Check that the eCompliance application added to your SSO contains the correct URL
Can I implement both SSO and MFA for login authentication?
Yes, however, this depends on the third-party tool they are using, as eCompliance currently does not offer these functionalities. Okta supports SSO and MFA, which customers can leverage for their user needs when using eC.
Which employee permission can allow a user to enable SSO for my site's account eCompliance?
Employees with the 'Account Manager' permission can enable SSO for their organization. SSO configuration settings can be found in the Setting Module.
SSO configuration settings are visible and available after an account's Customer Success Manager has enabled SSO (web and/or mobile).
Is the Settings module in eCompliance specific to a site or the entire user account?
The Settings module in eCompliance is for the entire organization. It is not specific to a site.
Can I limit which employees can use SSO for login authentication?
If you make use of the advanced security settings to strictly enforce SSO login, then no, SSO cannot be limited to specific employees, since all users in your organization will be required to authenticate through your IdP.
However if you simply enable but do not enforce SSO, users configured in your IdP can use SSO while others with emails or usernames can login as they normally would.
Can users who log in via username login with SSO?
Depending on the IdP, most IdPs do allow for username login. Please ensure that your confirmed IdP tool allows for username login.
3. SSO Setup
How much does this feature cost?
SSO is included in your eCompliance subscription.
Is SSO available on web and mobile?
Yes, this feature is available on the web and mobile.
What is the minimum required mobile version for mobile SSO?
The minimum required mobile required version for mobile SSO to work is version 7.17.0.
Once enabled, does the EcoOnline team mandate update the mobile app?
At the moment, we do not mandate updates. Your team must ensure that those using eCompliance are on the latest version of the mobile app (+7.17.0)
Our team can mandate a minimum mobile version for those needing assistance. Please reach out to our support team if this is required.
I would like to enable SSO. What are the steps to do so?
Here are the steps to follow to enable SSO for your organization's account on eCompliance:
-
Inform your Customer Success Manager.
- Confirm whether you are using IdP or Identity Provider Initiated (IdP-initiated) SSO or Service Provider Initiated (SP-initiated) SSO and for which platforms (web or mobile)
- Confirm which third-party provider you are using (we support Microsoft and Pomerleau) -
Review the SSO documentation. Your Customer Success Manager will then enable this on your organization's eCompliance account.
-
Once enabled, head into the Settings module and set up SSO following instructions in the SSO documentation.
-
If you have any questions or concerns, please feel free to reach out to your Customer Success Manager.
Is there a separate setup process for enabling SSO for web and mobile?
Yes, there is a separate process for each outlined in our SSO documentation. See here for our setup guide for the mobile app.
4. Systemic Changes After Enablement
Can employees still log in through normal login methods (using credentials) after enabling SSO?
Yes, employees can still login through other available login methods. eCompliance does not support 'Just In Time' user provisioning, so employees can still log in through other available log in methods after SSO enablement. See this section for more information.
How does SSO impact adding employees to the workflow?
SSO is a secure way to log into the eCompliance mobile app with a secure company issues tool. With SSO safety managers are still required to create user accounts and invite them to eCompliance.
Will enabling SSO create new employee accounts?
No, SSO enablement will not interfere with account creation. No new employee accounts will be created once SSO is enabled.
With SSO enabled, will users need to be added with the employee importer or through the Employees module?
Yes. Enabling SSO does not change the flow of adding users to eCompliance.
Will enabling SSO overwrite data on existing employee accounts?
No, all employee profiles and accounts will stay the same as before SSO is enabled. No data or accounts will be overwritten.
Does a manager still have to add employees to eC?
Yes, safety managers must still add their employees to eCompliance through normal methods (through the Employee module).
Email changes are needed if changes are made to an existing employee profile. Does SSO impact the typical workflow of changing this? Would the customer need to change the SSO setup on their end?
When login credentials are changed on an existing employee profile in eCompliance, a user must also change the eCompliance app settings in their SSO app.
Comments
0 comments
Article is closed for comments.