Single Sign On (SSO)

Enabling Single Sign On

We support single sign-on using SAML 2.0 and a supporting third-party Identity Provider (IdP) that works in tandem with its internal user management system. This means that instead of relying on our local authentication for password and security policies, you may set your own authentication using your managed Identity Provider. Users in the application also benefit by not having to remember and manage yet another password for this service, and instead use a single service to sign in to Own.

Set Up at the IdP (Identity Provider)

Own uses SAML 2.0 and supports IdP-initiated flows only (not SP-initiated flows). Therefore, in order to authenticate, the IdP must allow the SAML Assertion to be used. You will need to add us as a new Service Provider (sometimes referred to as an SP), that has the following attributes:

1. Identifier (Entity ID) - can be obtained from the SSO XML file from the SSO feature setup page.
   (e.g. https://sso-app1.owndata.com, https://sso-emea1.owndata.com etc.)
2. Reply URL (Assertion Consumer Service) -  Set to https://XXXX.owndata.com/saml/consume according to your region. 
   (e.g. https://app1.owndata.com/saml/consume, https://emea1.owndata.com/saml/consume, etc.)
3. Ensure the User/Subject Type is set to Username, and that it is also a valid email address already existing as an active user.
4. Set the Name ID Format to urn:oasis:names:tc:SAML:nameid-format:emailAddress

• You can obtain the SSO XML file from the SSO feature setup page in the Own application, if that is needed for a specific IdP setup.

Setting Up in the UI

To set up single sign-on integration between your IdP and Own, enter into the UI the following information in the Account Settings --> Security page:

1. Identity Provider Name: A friendly display name for the integration (e.g. Okta Own).
2. Identity Provider’s SAML issuer name - A unique identifier of the IdP (Usually an https:// URL). The SAML issuer is typically the Entity ID, which can be verified in the IdP’s metadata xml.
3. Identity Provider’s certificate SHA-2 fingerprint, in uppercase, with : marks between the hex code.  
   (e.g. 7C:C4:22:66:15:E1:7B:34:C0:AB:2A:81:E6:11:56:09:92:C5:51:49,
   or upload the public certificate itself in .pem format).
4. Logout URL - The link to where you wish to direct users, when clicking the logout button.

Provider Specific Configurations

• Okta - How to Configure SAML 2.0 for Own

Behaviors when Enabling Single Sign On

Most password policies and security measures change when you enable single sign-on via SAML:  

• Only the Master Admin can enable/disable SSO.
• The user can no longer set their password in the application, and the password length complexity rules are those set by the identity provider.
• We cannot enforce password expiration and cannot prevent reuse of old passwords.
• Two-factor authentication is disabled, but you may enable it through your Identity Provider, if it’s available there.
• Users cannot use the Forgot/Reset Password mechanism and will be referred to their Identity Provider if they try to do so.
• If you would like to enable an API user after implementing Single Sign-On, please submit a case to our Support team, this user will have API access only and will not have access to the UI.
• If you are completely locked out and cannot manage authentication via the IdP, please submit a case to our Support team who can assist.

Adding a new User

Master Admin Steps

1. As a Master Admin, log in using Single Sign On (SSO).
2. Create a new user assigned to a Business Unit.

A verification email from s sent to the new user. (The email states that the user has been created as a Read Only user).

New User Steps

1. In the verification email received, click the "Confirm" link. A confirmation page opens.
2. Click Accept Invitation. The sign in page opens.

3. Navigate to the URL for the “IdP-Initiated Login” used by your Id Provider.
4. Enter your credentials. You will then be redirected to the application as a valid SSO user.