If you already have an SSO application, you can onboard your users with their SSO accounts.
Staffbase Platform enables SSO onboarding using standards such as:
- SAML 2.0
- OpenID Connect
You can use the Staffbase platform with different identity providers, such as Microsoft Azure, OneLogin, Okta, Google, SAP, Gigya, Active Directory Federation Services, APM, Shibboleth, and so on.
We also support multiple identity providers at the same time. If you want to enable more than one identity provider for your app, contact your Customer Success Manager.
To set up SSO onboarding, you need the initial support of your IT department. Since the user will not receive any new passwords, this method is very secure.
However, if you have a simple user structure and only want to edit the user data manually or not at all, then you don’t need to invest any further effort in user management. The SSO application will supply the necessary data. If you have many groups and want to continually keep the user data in the app up to date, then you will use the automated user management.
You can use SSO onboarding in parallel with all other onboarding methods.
User Data Requirements
- Manual user management in the app
- You don’t have to provide any data for SSO onboarding. All data is provided via SSO as soon as a user logs on.
In this case, you can only manually edit, organize, or delete users later.
- Automated user management in the app:
- If you want to keep user data up to date using an import, then you must create the users in the system in advance.
Enter the following information for the users:
- Identification — this must be the same ID as used in the SSO source system
- First name
- Last name
- Email address — if you want to invite the users via email automatically
Optionally, you can also provide further information such as:
- Additional information you wish to use with custom profile fields
For OpenID Connect, the additional user data is not yet supported.
Enter User Data in the System
There are two scenarios of SSO onboarding:
- Just-in-time provisioning
- You don’t have to provide any data beforehand for the SSO onboarding. The user data is provided or synced every time the SSO is used.
- You need to provide all user data before the user accesses via SSO. In this case, only pre-existent users within the app can access it via SSO.
If you need automated user management, you must use the pre-registration and create the users in the system using one of the following methods:
Inviting Users to the App
Manual user management and automated user management without the user's email address:
You invite the users to the app yourself. Users only need the app name to install the app.
Automated user management with the user's email address:
- Import the user data into the system; for example, via CSV import.
- Send the invitation emails. For example, during the CSV import you confirm that you want to send the invitation emails directly after the import.
The invitation email contains:
- Name of the app
- Information on how to download the app
How Users Register with the App
- The user opens the app or web app.
- The user clicks Sign in with Single Sign-On account.
- Afterwards the user is forwarded to your SSO identity provider.
After finishing the SSO registration the user is forwarded to the app.
- Optionally, the user is asked to complete the profile and enter more information.
At this point the user has an active account and is able to log in using their email and the new password.
How Users Can Reset Their Password
If a user forgets their SSO password, the password is reset via your SSO application.