Guides

SSO

Functional Overview

The Alcméon application can be configured to integrate with third-party SAML-based Identity Providers. It can be made to behave as a SAML Service Provider to replace the default Alcméon login page by:

  • a centralized login page provided by a third-party IdP to enforce a single mandatory sign-in method
  • a login page which allows users to choose which login method they wish to use within up to 4 pre-configured methods. Typical setups include 2 to 3 third-party IdPs to allow access to Alcméon to independent business units. Other common setups allow choosing between the default Alcméon login or a third-party IdP.

The Alcméon SSO does not perform automated user account provisioning:

  • some customers choose to manually provision user accounts and assign roles to user accounts for access control within Alcméon via the account configuration user interface
  • others automate this provisioning and role assignment process via the User Account Provisionning API.

Please note that this is also possible to automatically create users with one predefined role for for those authenticated by SSO but without an existing Alcméon account. A common use case for this feature is to grant login access with read-only permissions on the inbox. This functionality is typically used for the "Send conversation by email" feature.

Technical constraints

The Alcméon Service Provider uniquely identifies users via a per-user email. The IdP is expected to provide this email via the SAML NameId or a SAML attribute.

Configuration process

The configuration process is managed via [email protected]:

  1. Upon request, we will provide you with a url per IdP where the Service Provider SAML XML metadata can be downloaded.
  2. You will provide us with a url where we can download the IdP XML metadata, and the information on how the user email will be communicated by the IdP (via the NameId or via a SAML attribute whose name must be send to Alcméon support). This information is mandatory.
  3. We set up a test page with the information above, and give you the URL that will allow you to perform end-to-end testing. Note: at this step, none of your Alcméon users are impacted and they continue to log in with their Alcméon login and password.
  4. Once your tests are done, you can give us a GO to enable the SSO configuration to all Alcméon users. Once it is done, all users will have to login through this SSO. Note: users that are already logged in will stay logged in until their session expires.

Deployment process

Once the setup has been tested and validated, a request must be send to support to enable it.

Supported IdPs

In the past, we have successfully deployed our Service Provider against numerous IdPs:

Potential issues

When the SSO is not enabled on day zero, and when the target configuration is a configuration where all authentication must go through a single third-party IdP, customers must make sure that ALL existing user accounts are assigned a unique email that is valid within the IdP. Support can help with this migration process, both by providing exports of the list of user account emails and by performing a one-shot remapping of user account emails within Alcméon

Updated 6 months ago