Introduction
Identity management at Steeple brings together two different but complementary areas: user authentication on the one hand and the management of their identity and permissions on the other.
Authentication is the mechanism by which a person can prove that the identity they claim to be theirs is indeed theirs. Steeple supports two authentication methods, the pair method (email address, password) and single sign-on. This document introduces single sign-on.
The management of identities and permissions consists on the one hand in the management of State civil” of a user (his first name, last name, email, date of birth, etc.) and on the other hand the permissions with which he can interact with a given community. The process by which an organization can manage its users is called provisioning and this document presents the so-called automatic mode of provisioning.
Single sign-on
Single sign-on is a method allowing a user to authenticate his identity with different computer applications using a single authentication mechanism, managed by a single entity and deemed secure.
For example, if your company uses Microsoft Azure AD as a provider of digital identities for your employees, then you can ensure that these identities are used within your Steeple organization, and thus avoid your employees having to explicitly create another identity to belong to this organization.
SSO therefore allows you to ensure that access to your employees' steeple accounts is protected as securely as that which allows them to access their company account. It also allows you to configure who can access Steeple directly within your identity provider, allowing easier and automated management of your Steeple organization.
The authentication of a user's identity leads to the creation of a session, which represents the period of time during which this authentication is valid, and therefore during which he can use the service without needing to authenticate again. A session can be deliberately interrupted by the user but, without action from the latter, it automatically expires after a certain period of time. The user is then prompted to re-authenticate their identity using SSO.
Note that in Steeple's implementation of SSO, once established, a Steeple session is independent of the identity provider that enabled the authentication. In particular, the identity provider will not be able to trigger the termination of the session on its own (only the user or the expiration of the session can). In other words, Steeple does not implement single logout. (Single Logout, orSLOW).
SSO Configuration
Steeple implements SSO using the protocol SAML v2.0.
In this context, to understand how this SSO works, three main actors should be distinguished:
- the identity provider (Azure AD, Okta, ADFS, Ping Identity, etc.)
- the service provider (Steeple)
- the user (a person)
The user seeks to authenticate his identity with the service provider to obtain access. The service provider then sends the user back to the identity provider, asking the latter to authenticate the user by its own means. If the identity provider can authenticate the user, then it sends it back to the service provider along with data guaranteeing certain details of its identity, which is equivalent to authentication. The service provider is now able to process the user's access to its service.
It emerges from this operation that identity provider and service provider (respectively named IdP and SP in the rest of this document) must not only be able to address each other but also be able to recognize each other as interlocutors of trust. A consistent configuration of both is therefore mandatory.
Although this is a standard protocol, the terms used and the steps for this configuration between IdP and SP may vary from one identity provider to another.
We refer you to the dedicated document for the configuration according to your identity provider: