Introduction to single sign-on

Overview

Implementing single sign-on (SSO) in your Incydr environment provides security benefits and simplifies the sign-in experience. This article provides:

• A list of configuration articles that describe how to set up SSO with third-party SAML 2.0 identity providers (IdPs)
• An overview of SSO

Considerations

• To use this functionality, you must be assigned the Identity Management Administrator role. 
• Incydr usernames must match SSO usernames. How you accomplish this depends on how you deploy agents.
• Incydr supports service provider-initiated SSO but does not support identity provider-initiated SSO. Therefore, users cannot sign in to your Incydr environment from the identity provider's website or application, but instead must log in using a browser bookmark. 
• SSO provides user authentication but does not provide user management. Set up SCIM provisioning or use the Incydr console to manage users. 
• Incydr does not support Single Logout (SLO). Users must sign out of the identity provider to end their single sign-on session.
• The Incydr console expects SAML assertions to be signed. To configure Incydr to support advanced SAML request configurations, see Set SAML attributes for SSO. 

SAML 2.0 algorithms

The following SAML 2.0 algorithms are still allowed only when used in properties of the identity provider:

• RSA/MD5 for digital signatures:
  SignatureConstants.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5
• MD5 for HMAC:
  SignatureConstants.ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5

If your identity provider is up to date and configured appropriately, these deprecated methods are not provided. However, these deprecated algorithms are permitted if your identity provider still provides these methods for signing its tokens.

SSO configuration articles

You can configure SSO for Incydr with any provider that uses SAML 2.0. For general directions, see How to configure SSO in your Incydr environment.

The following articles provide instructions for specific providers.

• Configure Entra (formerly Azure) for SSO in your Incydr environment 
• Configure Google for SSO in your Incydr environment 
• Configure Microsoft AD FS for SSO in your Incydr environment 
• Configure Okta for SSO in your Incydr environment 
• Configure OneLogin for SSO in your Incydr environment 
• Configure PingOne for SSO in your Incydr environment 
• Configure Shibboleth for SSO in your Incydr environment 

Before you begin SSO configuration

• Make sure the SSL certificate of your SSO identity provider has been signed by a trusted Certificate Authority (CA).
• Make sure you have administrative access to the identity provider or have contact with an identity provider administrator.

• Configure your private network, Internet, and VPN settings to allow client devices to communicate with your identity provider on port 443. Test client connectivity to the identity provider before you proceed.
• If you want to use URL-based metadata exchange to configure Incydr and the identity provider to work together, make sure two-way communication is available between them on TCP port 443. If two-way communication is not available or not allowed, you must download the identity provider's metadata file and make it accessible to Incydr.
• Confirm the required ports with your identity provider to determine if custom ports are being used.

What is SSO?

Single sign-on SSO is an authentication method that allows a user to use the same credentials to sign in to multiple applications. You can integrate Incydr with any provider that uses SAML 2.0. 

Definitions

• authentication: The process of identifying and verifying users in a system. Methods for authentication include: Local Incydr directory, Single Sign-On (SSO), Multi-factor authentication (MFA)
• authentication provider: Allows access to Incydr. When enabled, users sign in using the authentication provider instead of Incydr. Examples of authentication providers include Okta, Google SSO, Ping, Entra ID (Azure AD), OneLogin, and Microsoft AD FS. This term is used within Incydr's identity management feature.
• identity management: An IT administrative area or market that deals with users in a IT system and giving them access to the right resources within the system. 
• identity provider (IdP): A general term to refer to a system that contains user identities. Identity provider can refer to a system performing authentication, provisioning, or both. Examples of identity providers include Okta, Google SSO, Ping, Entra ID (Azure AD), and OneLogin.
• service provider: A system acting as a gatekeeper for one or more resources (applications).
• resource: A protected application, which may or may not be web-based. The resource and the service provider are often integrated.
• single sign-on (SSO): SSO is one type of authentication method. It allows a user to use the same credentials to sign in to multiple applications.
• user agent: A software application that acts on behalf of the user who wishes to access resources. The user agent is often a web browser, although it can also be a desktop application, mobile app, or another type of agent.

SSO authentication process

When a user attempts to access an SSO-enabled protected resource, such as the Incydr console, the user is redirected to the identity provider. If the user still has an active session with the identity provider, the user is automatically redirected to the desired resource. If the user does not have an active session, the user is prompted to enter credentials. Once authenticated, the user has access for a configurable period of time to all resources protected by the identity provider.

The following diagram describes how Incydr components and the SSO identity provider interact.

• Service provider: Incydr cloud instance
• User agent: Incydr applications or web browser
• Identity provider: A SAML 2.0 identity provider that supports HTTP POST binding

SSO advantages, disadvantages, and limitations

• Delegates all authentication to the identity provider
• Allows for centralized authentication in organizations that do not implement Active Directory or LDAP (for example, computers that are not tied to a directory)
• Minimizes phishing opportunities
• Provides detailed reporting on user access
• Reduces user password fatigue from different username and password combinations
• Reduces time spent re-entering passwords
• Reduces IT costs due to lower number of IT help desk calls about passwords

• Prevents access to service providers if the identity provider is unavailable
  For this reason, SSO can be undesirable for systems requiring guaranteed access at all times, such as security or plant-floor systems.
• Allows an unauthorized user to gain access to all protected resources if a user's credentials are compromised
  To reduce risk, ensure that credentials are stored securely, and consider implementing strong authentication methods such as smart-cards and one-time password tokens.
• Provides user authentication but does not provide user management
  User management is provided by the local Incydr directory, SCIM provisioning, or Incydr User Directory Sync.

• Incydr does not handle single sign-off. If a user logs out of the Incydr environment, Incydr does not notify other service providers, and vice versa.
• When a user signs out of the SSO identity provider, they are not automatically signed out of the Incydr applications. There are two ways the user can be signed out of the Incydr applications:
  • An administrator can deauthorize the user's devices from the Incydr console.
  • The user can sign out of the Incydr applications.

External resources

Wikipedia:

• Single sign-on
• SAML 2.0

Related topics

• How to configure SSO in your Incydr environment
• Identity management
• Identity management reference 
• Introduction to SCIM provisioning