This article has been translated with machine translation.
What is SSO?
SSO (Single Sign On) is an authentication method that allows everyone within your organization to access iChemistry seamlessly.
With your IT department controlling who has access, there is no need to create unique users with yet another username and password to manage. In simple terms, you use the same login credentials as when you log into your computer. You just need to distribute a link to your iChemistry system. In this way, the experience of gaining access to the system is secure, simple and saves time.
How does SSO work in iChemistry?
- When a user opens their iChemistry link, the platform will verify if there is a user associated in the database and, if found, grant access.
- If there is no user with the provided email address, iChemistry will create an account for them and provide access using the information from the claims in the SAML response (what your IT team has setup in the configuration stage). By default, users will be granted 'read-only access' to your organization's information.
- Nevertheless, permissions within iChemistry can be managed within the platform subsequently. Handling permissions with SSO is easily adjustable in this regard.
With SSO, you save time creating users, because SSO does the work for you.
User Access Management with SSO:
With Single Sign On using SAML 2.0, you can control from Active Directory who should have access to iChemistry and which permissions they should be granted as well as which department user belongs to.
With information from Active Directory you no longer need to manage the users within iChemistry anymore.
Every time user attempts to access iChemistry, user is authenticated using SAML Response which contains user permission
group and department and user account within iChemistry can be updated accordingly.
Good to know about the configuration of SSO in iChemistry:
Configuring SSO for iChemistry entails a few tasks from both parties. When SSO is enabled for iChemistry, it means that local authentication is bypassed, and users are prompted to log in through your organization's domain. For that to work, Intersolia will configure the SSO together with your IT team, who needs to provide us with so called metadata. Attributes we will need is userEmail, userFullName, userId, userRole and departmentId.
We support Azure AD and SAML 2.0.
Further explanation will be given on request if you are interested in expanding your agreement with SSO authentication.
If you are interested in the SSO option, please contact your account owner or Customer Service support@intersolia.com and we look forward to helping you.
Technical FAQ
SSO (Single Sign On) is an authentication method that grants access to iChemistry without using username and password from iChemistry system. There is no need to locally create user accounts and no more forgotten passwords.
Authentication is done through customers domain (sometimes called Identy Provider).
Here are some frequently asked questions regarding iChemistry Single Sign On
Which SSO Protocols are supported?
iChemistry Single Sign On works with SAML 2.
Does SSO work with ADFS and/or Azure AD?
Yes. Any Identity Providers should work as long as they have support for SAML 2 with custom claims and Attributes
Is SSO SP or ID initiated?
Both scenarios work. If user is already authenticated to the domain in their local browser, iChemistry will authenticate user by verifying the SAML Response from customer and user is logged in seamlessly.
If user is not authenticated to the domain, iChemistry will forward user to customers identy provider with SAML Request and user needs to authenticate through the domain.
What is the EntityID for iChemistry SAML Configuration?
You should call it iChemistrySSO. Would you use any other EntityID, iChemistry support will need to know this when enabling SSO for your iChemistry link.
Which Claims and Attributes are required?
You need to configure at least following attributes.
- userFullName
- userEmail
- userRole
- departmentId
- userId
Identifier
By default, iChemistry uses userEmail as identifier of a use but you can also add additional claim for another unique identifier such as UPN.
- userPrincipalName
Is there way to define different department for writing rights?
You can add optional claim&attribute for
- departmentWriteId
Where do I configure department id?
Settings > General > Department info
DepartmentID is defined in the field Department ID
Domain does not have property for all the claims?
You need to have at least userFullName and userEmail for all users.
userRole, departmentId and userId needs to be present in the SAML response, with or without value.
However some identity providers do not send claims if there are no values.
To get around this, you can set constant values to the claims. For example userRole "SSO", departmentId "1" and userId "SSO"
How does Single Sign On define user language?
Upon the first time login the iChemistry, Single Sign On will create local account for the user with the application defaults. (depending on how iChemistry URL is set up)
How does Single Sign On define user permission group?
By default iChemistry will grant all users the minimum read access and puts user to 'User' group.
However as Administrator you can change user to different permission group.
Else you can provide user permission group from your domain by using the userRole claim.
What happens when user ends his/her employment?
There is no automation to remove inactive users from iChemistry database.
You can find and remove users manually from iChemistry (Settings> Permissions > Users)
If interested to enable SSO for existing iChemistry with usernames and passwords
This is usually not a problem. To avoid any confusions with existing permissions, you should make sure all user accounts in iChemistry has correct email address set since SSO will identify users by their email addresses.
Are there any costs on number of users?
No. iChemistry allows unlimited number of users and user permission groups.
Does Single SIgn On work in multiple links?
Yes. Single Sign On in configured by Intersolia for all links unless agreed otherwise.
Depending on the configuration, same SAML configuration can be used for all links.
In some cases, there might be need to create separate federations for all links (for example if customer has multiple domains used in different countries).
Does iChemistry smartphone app work with Single SIgn On?
Yes. Just like iChemistry in web. When user enters application id in the app, user will be redirected to customers domain login page with SAML Request. User can login to the domain and is redirected to the app logged in as the user.
Can you use username & password when SSO is enabled?
Not by default. To bypass Single Sign On, contact customer support for more information
Can you (pre-)create username & password when SSO is enabled?
Yes. You can create users locally in iChemistry, however iChemistry will still check that user has authenticated through domain.
If user is created in iChemistry, upon first time login user needs to change their temporary password from iChemistry something else. This password is never asked again when SSO is enabled.
What happens if user accounts are removed from iChemistry user list?
User account will be inactivated and can no longer be used. Next time same user would try to login using SSO and has granted access from the domain, new user account is created.
While efforts have been made to ensure accuracy, this translation may not be entirely error-free. Please consider this when interpreting the information.
The content of this article is protected by copyright and may not be reproduced without permission. ©