In order to activate SSO for your admin account in Actimo, you'll have to login to the admin through the domain that you've set up in your account, so only people from your company will have access to it. This will include a button that will take your admins and editors to login to the service you use (if they haven’t logged in), and automatically login to Actimo.
How to activate SSO
In order to activate SSO for your admins, you’ll need to follow these steps:
- Be sure to have your own domain in Actimo. If you don’t, check this helpdesk guide on how to set it up
- Go to Admin > Security > Admin login
- Click on Single Sign On (SSO)
- Choose the provider you use (Microsoft, Google, etc.)
- Talk to your IT department
- Your IT department will have to setup the redirect_URI in your provider’s configuration.
- Request the following credentials from your own IT department:
- OpenID Connect metadata document (URL)
- Client ID
- Client Secret
8. Add the fields you got from your IT department in the setup of your Actimo SSO configuration.
9. Validate your setup
10. Activate it!
How to setup Single Sign On (SSO) in Actimo
We support SSO in Actimo through a technology called OpenID Connect. Many common enterprise platforms support this out of the box, including:
- Azure AD (Office 365)
- G suite
- Microsoft Windows Server 2016 and higher
In order to set up SSO with Actimo your IT department will need to configure your Identity system in order to create what is called an App or Client.
Here’s a couple of articles that explain how to create those apps (for a different systems):
- https://www.epiclabs.io/configure-jenkins-azure-authentication-connect/- http://www.tothenew.com/blog/jenkins-google-authentication/
IT will also need a parameter called “Redirect URI” that will be provided in the configuration wizard.
When this is created your IT will need to provide certain information through the configuration wizard.
There’s a validation step that ensures that there’s no major errors. However:
- If a user was registered on Actimo using the name+something@... that person won’t be able to login. First an admin needs to change his email in order to remove the +something
- Correct domain setup is mandatory
Errors that the end user may face inside Actimo when trying to log in with SSO:
- If the user starts the login process and leaves, for example when he/she has to enter the password, then comes back after several minutes and tries to continue, it is possible that the process will fail. This is because Actimo allows it to take only 5 minutes (security reasons)
- If the user tries to log in with a valid user account in the provider that is not registered on Actimo, Actimo will show an error with an explanation
- If the user logging in is not validated, it will fail without explanation (Security reasons)
- If the user has been deleted or doesn’t belong to the client, it will fail
Errors that the end user may face outside Actimo when trying to log in with SSO
- An ‘Authorization Error’ (or similar, because it depends on the provider) will be shown if the user tries to log in with a valid email (valid both for Actimo and for the provider), but that is not allowed in the providers’ configuration. Example: A company uses Google, but they configured it to allow only gmail accounts that belong to this company’s group. So if anyone tries to use their personal gmail email, even if there exists a valid user in the company for that email, it won’t work.
- If a user modifies the provider’s configuration, then it could fail both in Actimo and within the provider’s authentication pages.
Sometimes it happens that when an error appears, it shows up each time the user tries to log in using that provider. This could be happening because the user is already logged in that provider (and maybe with a wrong account).
So before trying to log in to the company’s account, the user should log out from her provider accounts.