The topic of SSO is quite broad and can seem overwhelming. Below, we have compiled the most commonly-asked questions. Please note that this article is by no means all-encompassing, however, we will do our best to add to this as we work with all of you. Feel free to leave a comment with your question, and we will add it to the article.
Should I use SSO?
There are advantages you will want to keep in mind and considerations you will want to evaluate as you decide whether or not you want to use SSO for your community.
If your users or a large group of your users are already on an SSO through your other products, then using an SSO is a great way to create a streamlined user experience across all your platforms. This will not only make user management and provisioning access simpler, but will also improve your customers’ ability to quickly get to where they need to go.
If you do not have an SSO set up, then it is perfectly acceptable to use the default authentication method inSided offers to all users.
What protocols are supported?
Currently, we support the following protocols:
In addition, you can also work directly with our support team to configure Linkedin and Facebook SSO.
What protocol should I use?
We recommend that you use whichever protocol your SSO-application already supports. We have not found any noticeable differences between our clients using OAuth, OpenID and SAML.
If you are building your own, custom solution, JWT is by far the easiest to implement. We see this mostly when people use their own product as an SSO-provider, for example.
NOTE: The system can support multiple, simultaneous protocols of different types without any ‘custom’ work. However, if you would like to configure multiple login flows using the same protocol, you will need to create an external landing page to handle the traffic.
Can you provision users?
No, provisioning using something like SCIM is not supported by inSided and most use cases we see do not require it in place. Users can be automatically created/registered upon first login - this is seamless for the end-user.
To off-boarding users or to comply with GDPR removals, we would recommend using the API:
- EU: https://api2-eu-west-1.insided.com/docs/user/#operation/erase
- US: https://api2-us-west-2.insided.com/docs/user/#operation/erase
Can we pass along custom fields in SSO?
Passing custom profile fields through the SSO is not possible. You can pass along these fields on the SSO payload:
- Username
- Profile Picture
- Custom Role
- Avatar
To pass along additional profile fields, you will need to use the API:
- EU: https://api2-eu-west-1.insided.com/docs/user/#operation/UpdateProfileField
- US: https://api2-us-west-2.insided.com/docs/user/#operation/UpdateProfileField
Your payload will look (something) like this, if you choose to pass through these values - you can find more information in this article:
$payload = array(
'id' => 'VGqczRfTVaSm',
"username" => "john.doe",
'email' => 'john@doe.com',
"avatar" => "https://upload.wikimedia.org/wikipedia/commons/3/30/Rubik_cube.png",
"customRoles" => "12,13"
);Another helpful tip is the following:
The variable your SSO is sending is customRoles and you can send a comma-separated list of custom role ID values. For example:
customRoles = "12,13"
You will find these IDs in Control → Settings → User Roles.
Can I automatically redirect users to the SSO login page?
Yes, this is possible! You can do so by calling this GET endpoint directly: https://sso.api.insided.com/auth/[SSO_SCHEME]?customer=[CUSTOMER_ID]
- CUSTOMER ID: this is the first part of the URL of your Control environment (e.g. customer-id.insided.com)
- SSO_SCHEME : can be oauth2, openidconnect, saml, token, google
How difficult is SSO to set up?
SAML and Token are the simplest to set up, but none of the protocols require too much technical know-how to set up. We have documentation for all of them in our community. We do also support Linkedin SSO, but this will require you to work with our support team.
If you are facing any technical difficulties, you can also reach out the support team and they can assist you in the setup.
Where do I generate a key to set up Token SSO?
There are instructions in the SSO setup guides that walk you through it. You can do this in Terminal via the command found in this inSided article.
How does auto-registration affect the login experience?
- Does auto-registration skip ‘required at login’ Profile fields? No, it does not. Users will be asked to enter those Profile fields.
- If the username auto-populates, i.e. the system enters the username as the text before the @email.com portion, what happens when there is a duplicate? The system will force the user to pick a new username.
What happens when a user’s email address changes in the SSO database (IdP)?
-
To create a seamless experience for the user, you will need to access their user profile from your Control environment, and change the email in their profile. This will ensure that the next time they sign in, there will be no ‘disruption’ to their login and user experience.
-
What if the SSO token also changes? If this is the case, then you will also need to update this in the user profile. You can find this in your SSO database.
Can I customize the the registration page when someone logs in through SSO?
Yes, you can! Check out this article to find out which phrases you will need to add and adjust to customize the private community registration page. If you have trouble adjusting the registration page, please submit a ticket to our support team, and they will assist you.
Last Updated: February 15, 2024
