Overview
Single Sign On (SSO) allows your organization to manage access to multiple enterprise applications, mitigate security risk, and alleviate burden to you and your organization to manage all access across many users.
Enabling SSO does not disable traditional login for existing Users. We can disable password login for anyone needed after SSO. by leveraging "Strict Mode".
New users added via your IdP (when 'Just in Time Provisioning' is enabled in GUIDEcx) will be added as contributors by default and traditional login will be disabled. Permissions can be adjusted in GUIDEcx from the user edit screen (Something only Admin or Managers can do.)
Once enabled, SSO login can be initiated from the GUIDEcx login screen (Service Provider Initiated) or from your IDP (IDP Initiated Flow).
Before Setting Up
To use Single Sign On (SSO), you must have a cloud identity provider (IdP) or federation service in place that supports authentication via SAML 2.0. (Read more about SAML 2.0 here). To have SSO enabled, reach out to us via chat or email. You'll also need a contact who is familiar with your particular IdP.
***SSO only applies to your internal users, NOT to any GUIDEcx user (i.e. your customers)
How to Set Up SSO in GUIDEcx
Each IdP can be unique in setup flow. But, all SAML-based protocols will need the same inputs.
In GUIDEcx, navigate to “Company Details” in the top-left corner. Go to the “Settings” tab and scroll down to the SSO configuration area that’s near the bottom of the page. You'll need to provide your IDP with the:
Single Sign On URL (https://api.guidecx.com/users/auth/saml/callback)
Service Provider Entity ID (https://app.guidecx.com)
Login to your IDP service. This will most likely require admin permissions to set up the application. Set up your application with the Single Sign-On URL and “Service Provider Entity ID” obtained in the prior step.
NameID format is expected to be "emailAddress".
Additional user attributes (only used for JIT provisioning):
firstName
lastName
After setting up the application, go to your IdP and locate the:
Identity Provider Issuer URL
Identity Provider Single Sign-On URL
Certificate - this can be labeled as "X.509 Certificate"
Add this IDP info into GUIDEcx.
Enable “Just In Time Provisioning” if desired. This will allow your IdP to create users in GUIDEcx, eliminating the need to add them in advance.
Enable SSO toggle in the top-left:
After setting up the application, the credentials can be found in the application under the “Single Sign On” tab.
Advanced Setup Options
Just-In-Time Provisioning (JIT): Enabling JIT will allow you to create new users automatically as they login through your IdP. All users will be created as a contributor. In order for a user to be created through JIT provisioning, your IdP needs to send firstName and lastName user attributes in the SAML Response.
Strict Mode: Enabling strict mode will force all of your users to login through SSO, disabling username/password login through GUIDEcx. Your organization admins are excluded from this to provide them the ability to maintain the SSO configuration.
Post-SSO Sign In Steps:
Clear your cookies and cache
Navigate to https://app.guidecx.com/
Click on “SSO Login” in the bottom-left corner.
Enter your email address
You will be navigated to your organization's SSO login page. Finish the steps there!
Once attribute fields have been added in your IDP, assign the app to the desired users. The user will need to sign in FIRST and THEN the account will be created via JIT in GUIDEcx
Note: If you're an admin, don't forget to send these steps out to your team.
Integrating SSO After Onboarding
Impact it has on current internal teams:
Managing logins has to be done through the SSO provider. i.e. usernames and passwords cannot be updated in GUIDEcx, they have to be updated in the SSO platform.
New users must be set up in the SSO platform.
Once SSO is implemented, users will remain logged into GUIDEcx until either their...
Cookies are cleared
Browser is shut down
Log out of GUIDEcx
This change of using SSO after onboarding won't have an impact on your customers.
How to Uninstall SSO
To disable the Single Sign-On integration,
Go to “Company Details” in the top-left corner of GUIDEcx.
Go to the “Settings” tab.
Scroll down to the Single Sign-On settings.
Click the toggle so the color goes from green to gray.
Once gray, it is now OFF.
Troubleshooting
If your SAML response is misconfigured, it could be for a variety of reasons. One thing to check is if the SubjectdConfirmation
has a Recipient
.
For example:
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-04-02T19:04:28Z" Recipient="" /> </saml:SubjectConfirmation>
Below is what it should looks like. Note that the Recipient is populated with the “Single Sign On URL”. This is also referred to as the SAML Assertion Consumer Service (ACS) URL.
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotOnOrAfter="2024-04-05T14:36:35.304Z" Recipient="https://api.dev.guidecx.io/users/auth/saml/callback"/> </saml2:SubjectConfirmation>
Once this is sorted out, try testing again and you may be in!
There are also great and free tools available to test and verify your configuration and identify issues. One is found here: SAML Response Validator - Validate SAML Metadata, Signatures & Certificates.