If you already have an SSO application, you can onboard your users with their SSO accounts.

Staffbase Platform enables SSO onboarding using standards such as:

• OpenID
• SAML 2.0
• OpenID Connect   

You can use the Staffbase platform with different identity providers. Some of the examples are:

• Active Directory Federation Services
• Amazon Cognito
• APM
• Gigya
• Google
• Microsoft Azure
• Okta
• OneLogin
• SAP
• Shibboleth

We also support multiple identity providers at the same time. If you want to enable more than one identity provider for your app, contact your Customer Success Manager.

To set up SSO onboarding, you need the initial support of your IT department. Since the user will not receive any new passwords, this method is very secure.

However, if you have a simple user structure and only want to edit the user data manually or not at all, then you don’t need to invest any further effort in user management. The SSO application will supply the necessary data. If you have many groups and want to continually keep the user data in the app up to date, then you will use the automated user management.

You can use SSO onboarding in parallel with all other onboarding methods.

User Data Requirements

Manual user management in the app 

You don’t have to provide any data for SSO onboarding. All data is provided via SSO as soon as a user signs in.

In this case, you can only manually edit, organize, or delete users later.

Automated user management in the app: 

If you want to keep user data up to date using an import, then you must create the users in the system in advance.

Enter the following information for the users: 

• Identifier — this must be the same as the external ID used in the SSO source system
• First name
• Last name
• Email address — if you want to invite the users via email automatically

Optionally, you can also provide further information such as:

• Location
• Department
• Position
• Additional information you wish to use with custom profile fields

Enter User Data in the System

There are two scenarios of SSO onboarding:

Just-in-time provisioning

You don’t have to provide any data beforehand for the SSO onboarding. The user data is provided or synced every time the SSO is used.

Pre-registration

You need to provide all user data before the user accesses via SSO.  In this case, only pre-existent users within the app can access it via SSO.

If you need automated user management, you must use the pre-registration and create the users in the system using one of the following methods:

• CSV-Import
• User-API
• SCIM 2.0, for example, using Azure Active Directory

Inviting Users to the App

Manual user management and automated user management without the user's email address: 
You invite the users to the app yourself. Users only need the app name to install the app.

Automated user management with the user's email address: 

1. Import the user data into the system; for example, via CSV import.
2. Send the invitation emails. For example, during the CSV import you confirm that you want to send the invitation emails directly after the import.
   The invitation email contains:
   • Name of the app
   • Information on how to download the app

How Users Register with the App

1. The user opens the app or web app.
2. The user clicks Sign in with Single Sign-On account.
3. Optionally, the user confirms your terms of use or the privacy policy.
4. Afterwards the user is forwarded to your SSO identity provider.
   After finishing the SSO registration the user is forwarded to the app.
5. Optionally, the user is asked to complete the profile and enter more information.

At this point the user has an active account and is able to sign in using their email and the new password.

How Users Can Reset Their Password

If a user forgets their SSO password, the password is reset via your SSO application.