Single-Sign-On (SSO) and user provisioning with SCIM are now available on Forest Admin 🎉
We’re thrilled to announce that a game-changing feature you have frequently requested is now available on Forest Admin. Now, you can take every advantage of the single sign-on (SSO) authentication. 🎉
Updated in February 2024
Table of Contents
- What is a single sign-on SSO?
- Five key benefits of SSO authentication
- How to activate SSO on Forest Admin
- What is SCIM
- How to activate SCIM on Forest Admin
What is a single sign-on (SSO)?
In short, a single sign-on (SSO) authentication is an authentication strategy that gives users the possibility to log in using just one set of credentials to get access to corporate websites, apps, internal tools, and third-party services. Using SSO is convenient to employees as it lets them access various services faster and it reduces password fatigue. However, what is even more important is that SSO solves issues related to data security, access control, and compliance with industry regulations.
The way SSO authentication works is based on a trust relationship between the identity provider that authenticates users, and the service provider, which is a service or application that users want to access. Thanks to SSO, users don’t have to send sensitive passwords across the internet and struggle when they forget them. Instead, the identity provider passes an assertion to authenticate the user for the service provider, often using an identity standard such as SAML.
5 Key Benefits of SSO Authentication
SSO is beneficial for everyone -- the company, as it increases security and facilitates access control, and individual employees who don’t have to memorize several login details to multiple applications. Here are the five key benefits of SSO authentication:
SSO allows for maintaining centralized control over user access
In big organizations that employ hundreds or even thousands of people, access control can be a nightmare without a centralized access management system. For example, if someone leaves the company, managers need to revoke access to each tool used by this person separately. The same happens with the newcomers - they need to be given access to several apps and websites. The SSO makes these processes extraordinarily fast -- it’s enough to give them only one set of login credentials. At the same time, when someone leaves the company or in case one username and password is compromised, access to every other service can be immediately blocked thanks to the SSO.
SSO enforces better password policies and eliminates password fatigue
The SSO allows managers to enforce rules, such as minimum password length or its complexity requirements, and to establish a password policy audit to monitor, for example, how often passwords are changed. On one hand, it forces users to create strong and secure passwords. On the other hand, it eliminates the burden of remembering several difficult login credentials.
It is true that password managers are a way to deal with both issues but they don’t give as high security level as SSO authentication.
SSO increases employee and IT productivity
Struggling to remember numerous login credentials is a common issue that leads to a serious waste of time and money. According to Gartner, over half of all help desk tickets are related to password issues! Another study reveals that almost 19% of abandoned carts on e-commerce websites are due to forgotten passwords and other issues with logging in. The more passwords are in use, the more frequently such calls happen. The SSO reduces support calls and improves the overall user experience as repeated logins are no longer required.
💡 Forest Admin also supports signing in with Google - a quicker way to authenticate compared to the regular login/password one. Signing in with Google shouldn't be confused with SSO, which needs to be activated per organisation and gives administrators much more control.
SSO can be combined with risk-based authentication for an extra level of security
A risk-based-authentication (RBA) is an authentication system that helps prevent fraud by assessing the probability of account compromise. For example, even if users have correct login credentials, they may be asked to perform additional authentication to confirm their identity. Usually, it happens when the RBA system is alerted by an unusual location or an unknown device. Such a system is well known to users of social networks, major email providers, and an increasing number of other services as static usernames and passwords provide weak security.
The RBA, combined with SSO, ensures high-level security in organizations. If users fail to log into one of the services or their login details are compromised, their access to company applications can be revoked immediately.
SSO helps achieve regulatory compliance
Now that the majority of companies, including traditional sectors like financial and insurance services, are moving to the cloud, data security is a major concern for everyone - from users and companies to governments. With each passing year, new industry regulations appear, requiring companies to implement security measures to make sure data is protected against breaches, unauthorized access, and cybercriminals. Strong authentication systems, such as SSO, are often a requirement to be compliant with regulations such as HIPAA or Sarbanes-Oxley.
How to activate SSO on Forest Admin
- First of all, you need to be on a Pro or an Enterprise plan to activate the SSO authentication, and you need to have an organization. If you are not an owner of your organization, you need to reach out to a person who owns it, and ask to set it up.
- If you are an owner but you don't have an organization, you need to create it. To do so, click on "Personal space" in the top-left corner of your screen and then click on the "New organization" button.
- You need to have at least one project on the Pro or Enterprise plan within the organization to enable the SSO. To do so, you can move a project from an organization like the Personal space to another one by going to the Project settings -> General section -> Transfer ownership.
- Go to the Organization settings (you need to be an organization owner to see it), and find a tab Security. You'll see a "Configure single-sign-on" button, click on it, and copy the configuration settings for your provider.
- Create an application named “Forest Admin” on your identity provider, with the parameters previously copied (ACS Url, Logout URL, etc.)
- Press the "Test configuration" button, and if your configuration is up to date you'll be able to enable the SSO for your organization.
- At this moment, only you and other organization owners are able to connect to your organization through SSO, other users are not. It's time for you to test it before activating the SSO to every team member.
- When you feel comfortable with it, click on the "Enable" button and it will be activated to the entire organization on Forest Admin, using the configuration elements from your identity provider.
Forest Admin supports Auth0, OneLogin, Okta, Google, Microsoft Azure AD, and aother providers that support SAML.
Read more in the documentation.
What is SCIM?
Single Sign-On (SSO) and System for Cross-domain Identity Management (SCIM) are two related but distinct concepts in identity and access management (IAM).
SCIM is a protocol designed to automate the process of user provisioning and management across different systems and applications. It allows for the seamless exchange of user identity information between identity providers (such as an organization's directory service) and service providers (such as cloud-based applications). SCIM ensures that user identities are consistently and accurately managed across various platforms, reducing administrative overhead and the risk of errors or inconsistencies. Now it is also possible to take advantage of that on Forest Admin.
How to activate SCIM on Forest Admin
We have implemented this feature to work with OneLogin and Okta, but other Identity Providers may be added manually. Read more about SCIM in the documentation.