Single sign-on (SSO)
To enable single sign-on
- Select Settings from the System drop down.
- Expand the Single sign-on section.
- Enter the Identity ID, Login URL, and X509 Security Certificate for your identity provider.
- Select Authorization comparison if your identify provider requires exact comparison. Most do.
- Select Use single sign-on.
- Select SSO only to prevent users setting their own passwords. Users who know their passwords can bypass single sign-on. See Bypassing SSO below.
User identification
Users are identified in the Phrontex system with their email address or their Single sign-on ID in their profile. (See The Single sign-on ID is needed only if the ID is something other than their email address.
New users
If there is no user record in Phrontex matching the credentialed identity, the user account is created using the data supplied by the identity provider.
Inactive users
If the user account is disabled in Phrontex, the user cannot access the Phrontex system, even if they are authorised by the identity provider.
Bypassing SSO
The single sign-on process is normally automatic: when the user first browses to Phrontex they are redirected to the Login URL. If identified successfully they are redirected back to Phrontex with their login credentials.
This process can be bypassed by browsing to
https://[system].phrontex.com/login
which will display the normal login screen. If the user knows their password they can then login normally. For some installations, this is the preferred arrangement: users already logged-in to the corporate network can browse directly to Phrontex without requiring another login. Those same users, working away from the office, can login to Phrontex over the internet using their user name and password.
Some installations prefer not to permit this. Users may access Phrontex only through the corporate network.
If SSO only is selected, users cannot set their own passwords. The Password field is not displayed on their profile page, and the Reset password function is not available. Note:
- This restriction does not apply to users with System Owner or System Manager authority. These users can always set their own passwords, and can set passwords for other users.
- Selecting SSO only does not affect users already set up with passwords. To apply SSO only to existing users, you need to change their current passwords to something new. This can be done in bulk using the user import function.