Single Sign-On (SSO) allows employees to safely and securely access a host of Internet tools with a single username and password. There are four primary reasons why your business should consider leveraging Single Sign-On:
SSO helps the end user. Implementing SSO means employees are required to commit just one password to memory. With one password to remember, a user can easily create and remember a unique and secure password, without writing it down. SSO reduces password fatigue, frustration, and makes the employee more efficient.
SSO benefits the company. Less passwords to remember equals less calls to the helpdesk, resulting in more time to spend on other tasks for both the end user and IT. Less calls to the helpdesk (which is often times outsourced) means reduction in cost to the company as well.
SSO improves security. When employees are required to remember numerous passwords, it is easy to fall into lazy habits, such as using simple, easy to remember passwords which are more susceptible to hacking. Or writing passwords down on post-it notes where they can easily be stolen or fall into the wrong hands.
SSO helps with compliance. SSO helps companies increase control over the user's access to certain information as well as easily enforce password change policies. This makes it simpler for organizations to comply with HIPAA, SOX, and other regulatory groups.
Single Sign-On with Lytics
Lytics supports enterprise SSO by using Auth0 as a service provider using SAML protocol. Lytics integrates with Identity Providers (IdPs) in such a way that the IdP initiates SSO. That is, when your end user logs in to their IdP, they will use a global portal for your organization. Users can then click a link or button that will log them into Lytics seamlessly.
Behind the scenes, the IdP will be contacting the Lytics Auth0 service provider to verify the user and redirect them to a logged in instance of the Lytics app. This document describes the process for integrating with a new IdP that uses SAML.
Service Provider Configuration
To configure SAML for the Lytics service provider some information is required about your IdP. If you have a metadata file that contains SAML provider information this may be appropriate, just make sure that the following information is provided to Lytics Support:
- Sign In URL
- X509 Signing Certificate (The identity provider public key - if possible encoded in a separate PEM or CER formatted file)
- Sign Out URL
Further configuration details such as mappings may need to be provided. Once this information has been received, Lytics can configure the SAML connection in Auth0.
After Lytics configures the SAML connection on the service provider, Lytics Support will provide a metadata XML file with the following information in order to complete the IdP configuration. The key fields in this metadata are:
- Connection Name
- Assertion Consumer Service (ACS) URL (aka post-back or callback URL)
Entity ID of the Service Provider
With this information, your IdP connection can be configured to complete the SSO integration.
Once all the information has been configured in both the IdP and the Lytics service provider, you can test and verify that the SSO implementation works as expected. If you are using SSO as your only sign-in method, please disable any password restriction or expiration settings that may have been enabled in the UI.
During the testing process, Lytics can be configured to allow both SSO logins and regular username and password (or Google OAuth) login through the app. This allows for users to test SSO without disrupting the day-to-day usage of the app.
If requested, once the SSO implementation has been tested and verified, Lytics can disable the use of other logins for an account.
If it's known that SSO is going to be added to an account, then the user email addresses added to the account should match the email address present within the IdP. If the email address doesn’t match, then the login will fail as Lytics will not be able to verify that there is a user with that email address.
For instance, if the email listed in the IdP is
[email protected], and within Lytics it’s
[email protected], then the user will have successfully been verified by their IdP, but the login within Lytics would fail as the authenticated user email would not match the user within Lytics. You would need to create a new user within Lytics with the email address
[email protected] for the SSO login to be successful. You can check, add, and remove users for an account using the Managing Account Users guide as a reference.
It should also be noted that primary accounts are decided as the first account that a user was added to. Due to this, users from a single group/organization will often have different primary accounts. This is important for SSO as it will also be the account that the user is logged into at the start of their session. If SSO is enabled as the only means of login on one account and a user attempts to log-in using Google OAuth or their username and password, the login session will fail. The following options are possible solutions:
- Add that user to your IdP.
- Other methods of logging in would need to be added (Google OAuth, username/password).
- Remove user from all accounts and then add them back with the first account being the account that you want to be their primary account.
Lytics Support can assist in the troubleshooting process. When testing for the first time Lytics can enable logging to help troubleshoot any issues you may encounter. If you are receiving the error message shown below after being redirected to the app, that means there is an issue on the application side.
The Lytics Support team can help debug this if you provide information on the login attempt such as the time of the login and the user and account.
If you’re encountering an error earlier in the login process, such as before you are redirected to the Lytics app, this may be an issue with the SAML configuration either on the IdP or Service provider side. Lytics’ support team can review these issues and coordinate a fix, just contact us with the details of the issue.