Single Sign-On (SSO) allows users within a client’s organization to log into the SMG reporting website without having to enter a username or password. Typically, clients place a link to the reporting website on their intranet and when a user clicks the link, they are automatically logged into their homepage on the SMG reporting website.
Functional Process
There are three (3) entities involved in the SSO process: the client (identity provider), SMG (service provider), and the user (employee of the client). The client’s system (as the identity provider) identifies and verifies the user and then asserts the user with SMG (the service provider) by sending a SAML token with the initial request to the SMG reporting portal. In essence, the client identifies the user and then informs SMG who the person is by using SAML. SMG trusts the identity assertion and then automatically logs in the user.
The user logs into the SMG reporting website (smg360) through a client-operated service such as a client’s intranet. The client then redirects the user to SMG by passing along the username as well as other attributes needed to authenticate the user. Upon user authentication, SMG’s database stores the user information and updates with each login as attributes about the user change (e.g., email address, unit level access). There will not be a need for a separate process to update or create users.
The client (identity provider) authenticates the user prior to sending the first request to SMG (service provider) which involves the following steps:
When the client redirects the user to SMG, a signed and encrypted SAML assertion accompanies the request. The client generates the SAML assertion, signs with the client’s private key, and encrypts using SMG’s public key. SMG receives the SAML assertion, verifies the assertion using the client’s public key, and then processes the SAML assertion. Included in the SAML is information about the user, including the user’s email address, library assignment, and other information necessary for SMG to customize the user’s experience on the reporting platform.
Is it required to encrypt the assertion using the SMG key for SAML SSO?
No, SMG maintains different levels of security. The minimum requirement would be for the client to sign the assertion with the client’s private key and then SMG to decrypt the assertion with the client’s public key.
What value do you recommend for the username?
A value unique to the user (e.g., email address, employee ID).
Does SMG support WS-Federation SSO?
No, SAML 2.0 SSO is SMG’s standard SSO offering.
May the assertion include multiple units for one user?
Yes, separate the UnitIDs by a comma.
Does the UnitID need to include the leading zeros or padding (if applicable)?
No, you may exclude the leading zeros and provide the actual digits. The SMG process will handle the necessary padding.
Does single sign-on (SSO) support special hierarchy?
Yes, SMG may add custom code to the process to grant the user with access to one level up. The first dashboard would continue to reflect the user’s primary access; however, the user may toggle to view peer dashboards and/or generate reports to include peer performance.
Note: All users would have access to one level up and be able to view all units reporting to that level (e.g., region managers would be able to view the results for all stores and districts that report their division)
Does single sign-on (SSO) deactivate users?
No, however if a user no longer maintains access to your intranet then the user will be unable to access the smg360 reporting portal.
How does the user initially authenticate to the smg360 mobile app?
The user logs into the desktop version of SMG’s reporting website via normal means and clicks on the ‘Settings’ icon located in the right-hand corner of the top toolbar and then selects ‘Mobile App’ to request a code. On the smg360 log in screen, the user selects ‘Pair My Device’ and enters the code provided from the desktop version.
- Tokens expire after 30 days
- New codes are required per device
Ready to get started?
See the article Set up SSO for Your Organization to go over the onboarding process.
Comments
Please sign in to leave a comment.