Note:
This feature is only available to you if you have booked it as an additional module. To make changes to your current package, please get in touch with your contact person or contact customersuccess@alasco.de.
Topic overview
- Definition Single Sign-On
- Functionality
- Advantages
- Preparatory measures for activating SSO
- Subsequent registration for Alasco
- Single Sign-On and Multi-Factor Authentication
Introduction
In our digital world, where we are constantly accessing a multitude of applications and platforms, managing usernames and passwords can quickly become a challenge.
This is where Single Sign-On (SSO) comes into play. Single sign-on is an authentication method that allows users to log in to multiple applications with just one set of credentials. Instead of having to remember different usernames and passwords for each application, SSO provides a seamless, secure and efficient solution for managing digital identities. In this article, we will explain the basics of Single Sign-On, highlight its benefits and show you how to log in to Alasco using Single Sign-On.
How does SSO work?
SSO works by using a trusted third party (an identity provider, also called an authentication server) to authenticate users. When a user attempts to access an application, they are redirected to the identity provider, which verifies the user's credentials and then redirects them back to the application if authentication is successful.
Advantages of SSO
- Improved user experience: Users only need to remember one password, which simplifies and speeds up the login process.
- Increased security: SSO reduces the risk of password theft as users have fewer passwords that can be stolen.
- Reduced administrative overhead: IT Teams spend less time on password resets and account management.
Preparatory measures for activating SSO
- Planning of the activation date
- Joint configuration by Alasco and the customer's IT administration
- The appointment takes approx. 30-60 minutes
- Determination of the domains to be activated
- Activation e.g. for the domain examplecustomer.com - users with e-mail addresses with this domain must use SSO
- For users with other domains, e.g. external employees, login is still possible via e-mail address and password
- Preparation of users in Alasco and the internal system (e.g. Active Directory)
- Have all users been created in Alasco with the correct e-mail address and the desired roles?
- Are all users in the internal system authorized to use SSO for Alasco, e.g. through membership in a corresponding group?
- Do the e-mail addresses of the users in Alasco and the internal system match?
- Inform users about the upcoming changes to avoid confusion and queries
- Login problems occur briefly during the changeover
- After activation of SSO, the login flow changes
- If there are problems with logging in, users must contact internal IT after activation
Subsequent registration for Alasco
- Navigate to Alasco as a user and enter your e-mail address
- If SSO is enabled for you, you will be redirected to step 2
- Otherwise you will be asked for your password
- Alasco contacts the authentication server
- You will be identified by the e-mail address you entered
- Supported protocols: SAML, OpenID Connect (OIDC)
- Log in to the Authentication Server or use a saved session
- The Authentication Server sends your credentials to Alasco
- Alasco checks the information and grants you access if it is correct or rejects you if the information is incorrect
Single Sign-On and Multi-Factor Authentication
Multi-factor authentication (MFA) is usually included when using single sign-on:
- The login to the authentication server is usually secured with the MFA
- The Alasco login is skipped by SSO, so the MFA would go nowhere
However, SSO and MFA can be used together if you use several domains, for example if external employees work in Alasco.
Internal employees then have logins with the Domain exampleemployee@examplecustomer.de
- SSO is activated for exampleemployee@examplecustomer.de
- All internal employees log in via SSO
External employees have logins for other domains, e.g. extern@externefirma.net
- External users cannot use the SSO login as they do not have access to your authentication server
- MFA can be activated for these users to ensure additional security