What is SSO?
Single Sign-On is a convenient, yet secure way of authenticating a user.
Most customers are already running an Identity Provider (IDP) that supports Single Sign-On through the SAML 2 protocol, e.g. Active Directory, OneLogin, or Okta.
Benefits of using SSO
Integrating SSO into Userlane makes sure that
- your user can benefit from its content by using credentials they are using each day and in multiple places
Userlane is silently and seamlessly rolled out to all end users
your users do not have to do anything in order to see Userlane.
How it works
In the following section, we refer to three different stakeholders who need to align in order to get the integration up and running smoothly:
Company IT Administrator (short IT Admin) | Company Application Owner (Short App Owner) | Userlane Solution Architect / Implementation Consultant (short SA) |
---|---|---|
Sets up the installation on the customer's side. | Has requested that Userlane runs on their application | Point of contact at Userlane for the installation and person who supports App Owner regarding any requirements |
In concept, this is how users are seamlessly authenticated for Userlane:
User authentication logic
First time authentication is triggered immediately when User opens the browser with an installed Userlane Browser Extension. If the authentication is not successful, the attempt is repeated exponentially (every 2, 4, 8 minutes and further) until it reaches the frequency of 48h. After that the re-try is triggered every 48h until successfully authenticated.
An already authenticated user will try to refresh the user attributes according to the setting in the Userlane Portal. The refresh is done by re-authenticating.
Step 1: Configure SSO
Configure SSO
Reach out to your IT to receive the
- IDP entrypoint URL
- IDP certificate
Sign in to Userlane Portal > Account > Global Settings > SSO
Add Userlane to your IDP to connect SSO
You need to pass the Userlane metadata to your IT.
Test the SSO integration
This button manually triggers the SSO process.
It should bring the user to your IDP login page or (if they are already logged in to their IDP), then to the Chrome or Edge extension store to install the Userlane BE or (if they already have the extension installed) they are brought to a Userlane page with a list of Userlane properties.
Any of these results mean that SSO has been successfully configured.
Step 2: Configure Browser to install the Userlane Extension and provide configuration
Browsers can be configured via so-called Enterprise policies. Those policies are provided by the Browser manufacturers (Mozilla, Google, or Microsoft) and allow IT Admins to regulate what users can or can’t do with the Browser. To do that, companies use a tool to manage devices and software packages (MDM) such as Microsoft InTune, Entel or Matrix42 Empirum. It is possible to automatically install specific Browser Extensions and to provide configuration parameters to them.
To seamlessly rollout Userlane
Your Customer Success Manager needs to provide you with your CompanyId
You need to create the integrityToken
You need to configure the Browser to install the Userlane Extension through the given options by the respective browser:
Then, sign in to Userlane Portal > Account > Global Settings > Browser extension
Here, you can add your Integrity Token to verify the integrity of the settings and to be able to manage authentication centrally.
Step 3: Authenticating the user via Single-Sign-On
To authenticate the current user towards Userlane, a Single-Sign-On (SSO) flow can be started in a new tab or in the background. Through this, it is also possible to provide more details about a user to Userlane so that specific content can be shown to user segments. This can be done by simply enabling automatic authentication via SSO under the Browser extension tab within your Userlane Portal.
Step 4: Choose the SSO window mode
Choose in which window you want the single sign-on to be processed. Multiple options are available:
- Iframe The SSO will be opened in an invisible iframe that does not allow the user to interact at all. This is the recommended option but not all IDPs support it.
- Inactive Tab The SSO will be opened in a new Tab that the user will be able to see, but the Tab will not automatically come into focus.
- Active Tab The SSO will be opened in a new Tab that will automatically be focussed. Beware that this might interrupt the workflows of users.
Step 5: Userlane is automatically shown on selected URLs
Once a user was authenticated, the Browser Extension can load the runtime configuration which contains the whitelist of URLs on which Userlane will be shown.