What is Single Sign-On?
Single Sign-On (SSO) is an authentication method that allows users to securely log in to multiple applications and websites with a single authentication process. Thus, users are authenticated according to their organization’s policy through a single portal instead of managing multiple users and credentials for different platforms. This way, they can access all associated systems without additional logins.
- Simplified User Experience: Users don’t need to remember multiple passwords or go through repeated login prompts.
- Enhanced Security: Reduces the risk of password-related breaches and phishing attacks, as there are fewer passwords to manage and potentially compromise.
- Streamlined Management: Centralizes user authentication, making it easier for IT to manage user access and permissions across various applications.
- Compliance: Implementing SSO can assist in meeting certain information security compliance requirements. By centralizing authentication, organizations can more effectively enforce security policies, audit access, and maintain consistent security standards.
- Contact Support: Initiate the SSO setup by contacting your customer success manager at Dot.vu.
- Determine Email Domains: Identify which organizational email domains should be covered by SSO.
- Specify Accounts: Determine which accounts, i.e. specific business units or regions, require SSO coverage.
- Review Tenants: Together with Dot.vu support, review all tenants already associated with the specified account(s).
- Provide Identity Provider (IdP) Metadata: Share information related to your Identity Provider. Typically, this includes: Entity ID, Single Sign-On Service URL, and the public certificate. You can either provide these details directly or share the metadata XML file.
- Dot.vu Service Provider (SP) Metadata: Access our metadata at https://dot.vu/sso/saml2/metadata. This will provide you with essential configuration details for the SSO setup.
- Schedule Rollout: Align on a suitable rollout date.
Note. Dot.Vu does not support Single Logout (SLO). This means that while users can authenticate via Single Sign-On (SSO), logging out from Dot.Vu results in a local logout only, without affecting the session on the IdP, and vice-versa.
- New Tenant Provisioning: New tenants will be provisioned Just-in-Time (JIT) upon their first login.
- Existing Domain Users: Users with designated domain emails will experience seamless login through SSO.
- Existing Non-Domain Users: Users with roles in the specified accounts but not using the designated domain will lose access. They must transition to their designated work email for access. Our support team will assist in this transition.
Onboarding New Tenants With SSO
The onboarding of new tenants using SSO on Dot.vu is overseen by a designated client administrator with the necessary privileges. Here’s a step-by-step breakdown of the process:
- Initiate Request to IdP: The administrator contacts the organization’s Identity Provider (IdP) support to onboard the new tenant.
- Configure Role in Dot.vu: The administrator defines a role with the appropriate permissions tailored for the new tenant within the Dot.vu platform.
- Send Invitation: The administrator sends an invitation to the new tenant to join a specific organization account on Dot.vu.
- Access through Invitation Link: The new tenant clicks on the received invitation link.
- Authenticate via SSO: The tenant is prompted, and effectively required, to authenticate using the organization’s SSO method.
- Just-In-Time User Creation: If the tenant is a new user on Dot.vu, a user account is provisioned on-the-fly during their first SSO login.
- Role Acceptance: The tenant reviews the role details assigned to them and can accept or reject it.
- Dashboard Access: After acceptance, the tenant gains access to the organization account dashboard on Dot.vu.
Note. The Single Sign-On mechanism facilitates user authentication, but the authorization to specific accounts and roles on Dot.vu remains under the control of the client administrator. This setup ensures precise and secure management of access and roles. For any exceptional situations or challenges, Dot.vu’s support team is available for assistance.
What if SSO Service is Down?
- Temporary Disablement: In the event of an SSO outage, you can request our support team to temporarily disable SSO. This will enable existing users to reset passwords and log in using the standard process.
- Break Glass Account: As a precaution, Dot.vu can set up a “break glass” account upon your request. This emergency account allows for direct access to the platform, bypassing SSO, in case of SSO service interruptions or other critical scenarios. The use of this account is solely for exceptional cases, and it’s essential to ensure that the credentials are stored securely and used judiciously.
- Will you provide SCIM?: We recognize the importance of SCIM. Although it’s not on our immediate roadmap, we have plans to offer support for it in the future.
- Managing User Records: While SSO effectively revokes and blocks access for decommissioned users, their associated records will not be automatically deleted. To manage these records, please coordinate with our support team.
IdP Certificate Updates
- Manual Updates: As of now, IdP certificate updates are managed manually. In the event of a certificate change or renewal on the IdP side, please contact our SP contacts to ensure uninterrupted SSO service. When in doubt who to contact, contact our support.
- Automatic Certificate Renewal: We recognize the importance of streamlining operations. While automatic certificate updates from the IdP metadata URL are not on our immediate roadmap, we have plans to implement this feature in the future, allowing for more seamless certificate renewals and minimizing potential service disruptions.
SP Certificate Updates
- Rotation: Dot.vu is committed to maintaining the security and integrity of our Single Sign-On service. To this end, we rotate our Service Provider (SP) certificates at least every three years.
- Rollover Support: Dot.vu supports certificate rollovers, ensuring a seamless transition from an old certificate to a new one without service disruptions.
- Communication and Notice: We understand the operational implications of certificate updates. Even with rollover support, we pledge to proactively communicate any certificate changes to our SSO-enabled clients, providing ample advance notice and clear instructions. This ensures that all parties can prepare and take any necessary actions.
- Metadata URL: Our updated certificate, along with any rollover certificates, will be available in the SP metadata at https://dot.vu/sso/saml2/metadata. We recommend that clients periodically check or automate checks against this metadata for timely updates.