What is Single Sign-On (SSO)?

Single Sign-On (SSO) is an authentication tool that allows one set of login credentials (e.g name & password) to access multiple applications. Authentication is performed through a single central domain and the session shared across different applications in a secure fashion.

  • An example of SSO login is the implementation used by Google. Once a user logs in to Gmail, they automatically gain access to all other Google products.

What are the advantages of an SSO?

The implementation of SSO allows each user to access different applications with a single set of credentials. This has the following advantages:

For IT Administrators

  • Users are managed, at company admin level, through a centralized domain that allows admins to delete or restrict user access.
  • Using a single set of credentials can help to increase security, especially when combined with two factor authentication (for long lapses between long-ins or a forgotten password).

For Users

  • Users can access a range of platforms and apps that support SSO without having to log in each time.
  • Users won't need to remember multiple passwords.
  • Users won't have to enter credentials as often.
  • A forgotten password is easier to process and manage from a single SSO.

How does it work with Idomoo?

Instead of Idomoo authenticating user credentials during login, SSO delegates user sign-in and authentication to a predefined SSO service. Below is an explanation of this process.

  1. Idomoo’s application redirects a sign-on & authorisation request to the SSO service.
  2. The SSO authenticates the user if:
    1. The user is already authenticated, in which case the SSO service skips to the next step.

    2. The user is not authenticated, in which case the SSO service prompts for authentication, usually with a pop-up or a screen that requests username & password data.
  3. The SSO sends a security certificate to the app, assuming the username & password data are legitimate.

Integration with Idomoo

Idomoo utilizes Amazon Cognito as a solution for user authentication and access control.

Amazon Cognito supports the transfer of identity data between the following two parties:

  • An identity provider (IdP)
  • The service provider

In Idomoo’s case this will use Security Assertion Markup Language 2.0 (SAML 2.0).

The identity provider you chose will perform the authentication and pass the user's identity and authorization level to Idomoo’s application. Idomoo’s application trusts the identity provider and authorizes the given user access to the requested resource.

Common IdP providers which all have similar configuration options are:

  • Okta
  • Active Directory
  • OneLogin
  • Auth0

Step 1: Configure Idomoo On Your Idp

In order to configure Idomoo on your IdP, create a new application through the IdP setup process using the following SAML integration information:

Assertion Consumer Service (ACS) URL / SP sign-in URLhttps://auth.idomoo.com/saml2/idpresponse
Audience URI / SP Entity IDurn:amazon:cognito:sp:us-east-1_eU1R3GSYy
Name ID FormatEmail

Make sure any other required fields are configured according to your IdP’s documentation.

Step 2 : Provide Idomoo With A Metadata Document

For Cognito to recognize the user and pass the required fields onto the SSO, the IdP must pass an IdP metadata document to Idomoo.

As an alternative, a URL that points to the metadata document can be provided as well.

Step 3: Testing The Integration

After confirmation from Idomoo, you should test the log-in process using the SSO workflow detailed below.

SSO user workflow on Idomoo’s application

  1. Inside the Idomoo’s application, click the ‘Use SSO’ login option.
  2. A popup window appears requiring an email address that uses your company’s business domain name (e.g your corporate email address).
  3. When logging in for the first time (or if the authentication session has expired), the user is redirected to provide their credentials as required by the Identity Provider.

    Note: If the user is authenticated by the IdP, this step is skipped.
  4. If all authentications are correct, the user is logged in to the Idomoo application.

Useful links

Okta - Build a Single Sign-On (SSO) integration

auth0- Integrate with Amazon Cognito

How do I set up Okta as a SAML identity provider in an Amazon Cognito user pool?

How do I set up Auth0 as a SAML identity provider with an Amazon Cognito user pool?