What is Single Sign On and why is it required?
Meritto enables identity providers (IdPs) to verify user identities, ensuring a seamless and secure authentication process. The users can utilise their existing login credentials managed by IdPs such as Okta and Azure AD. This eliminates the need for users to remember multiple passwords, making the login process more seamless and efficient.
The standard users have the flexibility to configure and manage authentication settings for their Meritto account. In essence, SSO is a secure authentication mechanism that enables users to access multiple cloud applications with a single login through a centralised authentication system, known as an Identity Provider (IdP). The cloud applications that rely on IdP-verified authentication are referred to as Service Providers (SP).
How Single Sign-On (SSO) Works?
When you attempt to log in to Meritto portal, the SSO process follows these steps:
- Login to the IDP(Identity Provider) first – The user first needs to login to their IDP like Azure in order to access meritto via SSO.
- Meritto Application on IDP – The Admin user needs to make sure that they have configured the Meritto Application on the IDP like Azure in order for the user to access the application via SSO.
- Click on the Meritto Application in order to access the Meritto - Once the Application is configured successfully and the respective configuration is done on the Meritto as well, the users who are configured to access the platform via SSO can access Meritto via a single on the Meritto Application.
- Identity Verification – The IdP verifies your credentials, confirms that the requesting application is legitimate, and issues an authentication token.
- User Authentication – The application receives the token and grants you access based on the verified identity.
- Session Continuity – Once logged in, authentication data (in the form of cookies or tokens) is retained, allowing seamless navigation across different pages of the application without requiring repeated logins.
How to add Meritto as an application to Azure dashboard?
- Begin by signing in to the Azure portal.
- From the left-hand navigation menu, choose Azure Active Directory.
- Proceed to Enterprise Applications, then click on All Applications.
- To add a new application, select New Application.
- In the Add from the gallery section, search for Meritto using the search bar.
- From the search results, select Meritto, and proceed to add the application. The app will be added to your tenant within a few moments.
How to configure SSO for Meritto using Azure?
Great !!! Now that you understand how Single Sign-On (SSO) works, let's walk through the process of configuring Azure for your Meritto account.
Prerequisites
- The institute should have configured the respective IDP, like Azure.
- It is mandatory for the institute to have Single Sign-On as an add-on feature during account onboarding.
- Once the feature is added for the account, the user who will be configuring the SSO should have “Allow users to view/edit Single sign-on settings” permission enabled to configure the SSO successfully.
Once all the above prerequisites are met, please follow the steps below to configure SSO for a standard user:
Step 1: Log in to your Meritto portal and click on the settings icon located at the top-right corner of your screen.
Step 2: In the left-side menu at the L1 level, search for "Security Settings." Once you navigate to Security Settings, locate the expandable section labelled "Login Method" at the L2 level. Expand this section to proceed further.
Step 3: When you select the SSO Login method, the following authentication options should be displayed:
- Azure using SAML
Step 4: If the user selects the Azure using SAML method, a pop-up slider would appear displaying the following details:
- Reply URL (Assertion Consumer URL)
- The [Reply URL (Assertion Consumer URL)] field in the pop-up slider will be automatically populated with the customer ID.
- This needs to be entered on IDP while setting up SAML settings
- Identifier (Entity ID)
- The [Identifier (Entity ID)] field in the pop-up slider will be auto-filled with the customer ID.
- The [Identifier (Entity ID)] field in the pop-up slider will be auto-filled with the customer ID.
- Microsoft Entra Identifier
- The [Microsoft Entra Identifier] field should be displayed in the pop-up slider as an input field. Users can locate this value in the setup instructions provided by their Identity Provider (IDP).
- The [Microsoft Entra Identifier] field should be displayed in the pop-up slider as an input field. Users can locate this value in the setup instructions provided by their Identity Provider (IDP).
- Login URL
- The [Login URL] field should be displayed in the pop-up slider as an input field. This value can be obtained from the setup instructions provided by the Identity Provider (IDP).
- Logout URL
- The [Logout URL] field should be displayed in the pop-up slider as an input field. This is an optional field that specifies the URL users will be redirected to upon logging out.
- The [Logout URL] field should be displayed in the pop-up slider as an input field. This is an optional field that specifies the URL users will be redirected to upon logging out.
- Certificate (Base 64)
- The [Certificate (Base 64)] field should be displayed in the pop-up slider as an input field. This value can be found in the setup instructions provided by the Identity Provider (IDP).
- The [Certificate (Base 64)] field should be displayed in the pop-up slider as an input field. This value can be found in the setup instructions provided by the Identity Provider (IDP).
- Logout URL (Add this to the Basic SAML Configuration) -
- This needs to be configured when SAML Single Logout is configured.
- A field named [Logout URL] should appear in the pop-up slider.
When you log out of your system while logged into Meritto via SSO, a logout request also triggers to the Meritto Logout URL. This ensures that you are automatically signed out of Meritto, maintaining a seamless and secure logout experience.
Step 5: Enter the required information in the designated fields. Once all fields are completed, click on "Configure SSO" to proceed.
NOTE:
Once all necessary information is provided and SSO is configured, the SSO Login toggle on the Login Methods page should be activated.
Congratulations !!! You have successfully configured SSO for your account.
How to configure users in SSO?
Now that you’ve learned how to configure SSO for your account, let’s proceed with setting up users for SSO.
While configuring users, it is essential to understand the bifurcation and criteria that determine how SSO can be applied to standard users. Let’s explore these aspects to gain a clear understanding of the configuration process.
1. Assign SSO to Individual Users: Under this criteria, you can manually select users by searching for their names in the "Select User(s)" dropdown. However, before doing so, you must first select the Users radio button under the list labeled "Assign all user(s) of the following."
2. Assign SSO to Permission Groups: Under this criteria, users can be searched based on the permission groups they belong to. Simply select the "Permission Group" radio button and choose the desired permission template under "Select Permission Group(s)." Below this, you will find two search boxes labeled "User List" and "Included Users." These allow you to include only specific users from a selected permission group while assigning users from that group.
3. Assign SSO to Teams: Under this criteria, users can be searched based on their assigned user groups. Simply select the "Users" radio button and choose the appropriate user group under "Select User Group(s)." Below this, you will find two search boxes labeled "User List" and "Included Users." These options allow you to include specific users from the selected user group while assigning users from that group.
Fantastic! Now that you have understood the bifurcation and criteria for applying SSO to standard users, let’s move forward.
NOTE:
- The configuration is only applicable to the users who are solely part of this account and not to users who are in multiple accounts.
- The users enabled in this configuration will not be able to access Meritto's mobile application.
- Assigning users to the configured SSO is a mandatory step to configure SSO on Meritto without which your users won’t be able to access Meritto using your SSO.
How to save the SSO configuration as a draft?
Step 1: Once you have filled in all the relevant fields while configuring SSO, clicking on the [Cancel] CTA should save all the entered details as a draft.
NOTE:
- The saved drafts should appear as a list under the [SSO Login] method option.
How to edit the SSO configuration?
Users can edit the configuration after the draft has been successfully saved. Kindly follow the steps below to proceed.
Step 1: Log in to your Meritto portal and click on the settings icon located at the top-right corner of your screen.
Step 2: In the left-side menu at the L1 level, search for "Security Settings." Once you navigate to Security Settings, locate the expandable section labelled "Login Method" at the L2 level. Expand this section to proceed further.
Step 3: Once you expand the section, you will find your previously configured SSO saved as a draft. Click on the three-dot action button to open a dropdown menu.
Step 4: Click on the edit SSO icon. Once you are done making the necessary changes, click on Save.
Congratulations !!! You have successfully saved the changes made in your SSO configuration.
Comments
0 comments
Please sign in to leave a comment.