Single sign-on (SSO)
To enable single sign-on
- Select Settings from the System drop down.
- Expand the Single sign-on section.
- Enter the Identify ID, Login URL, and X509 Security Certificate for your identity provider.
- Select Authorization comparison if your identify provider requires exact comparison. Most do.
- Select Use single sign-on.
- Select SSO only to prevent users setting their own passwords. Users who know their passwords can bypass single sign-on. See Bypassing SSO below.
The single sign-on process is normally automatic: when the user first browses to Phrontex they are redirected to the Login URL; if identified successfully they are redirected back to Phrontex with their login credentials.
This process can be bypassed by browsing to
which will display the normal login screen. If the user knows their password they can then login normally. For some installations, this is the preferred arrangement: users already logged-in to the corporate network can browse directly to Phrontex without requiring another login. Those same users, working away from the office, can login to Phrontex over the internet using their user name and password.
Some installations prefer not to permit this: users may access Phrontex only through the corporate network.
If SSO only is selected, users cannot set their own passwords. The Password field is not displayed on their profile page, and the Reset password function is not available. Note:
- This restriction does not apply to users with System Owner or System Manager authority. These users can set their own passwords, and can set passwords for other users.
- Selecting SSO only does not affect users already set up with passwords.
User identity and creation
Users are identified in the Phrontex system with their email address or their Single sign-on ID in their profile. (See Users) The Single sign-on ID is needed only if the ID is something other than their email address.
If there is no user record in Phrontex matching the credentialed identity, it is created using the data supplied by the identity provider.