Single Sign-On (SSO)
Single Sign-On (SSO) is a session and user authentication service that permits a user to use one set of login credentials (i.e, name and password) to access multiple applications.
Single Sign-On can be enabled in your company account by request. When enabled and configured, users can access ITM Platform with their corporate credentials. Once you have Single-Sign-On, the username and password for the user are managed by the identity provider (IDP) of the user’s company or a third party SSO solution.
For the user, this means if they access Single-Sign-On from the ITM Platform login page they will be redirected to a login page provided by their own company. If authentication is successful, the user will be sent back to ITM Platform and logged in.
Characteristics of using Single-Sign-On at ITM Platform
The Single-Sign-On at ITM Platform has the following characteristics:
- ITM Platform supports SSO based on SAML 2.0, which includes solutions like Microsoft ADFS, Office 365 / Azure AD, Auth0.
- The e-mail address that is used at the IDP should be identical to the e-mail address of the ITM Platform user. As a minimum, the e-mail address should be included within the manifest.
- When using SSO with ITM Platform, users need to be created in both ITM Platform and at the IDP server. User roles and permissions in ITM Platform also need to be configured in ITM Platform.
- SSO can be made either optional or mandatory from the Company Settings Page.
- When a user is blocked at the IDP, they will not be able to log on in ITM Platform using SSO.
- Once enabled, the SSO configuration can be modified by any Full Access user.
Setting up SSO
If you want to enable SSO in your ITM Platform account, please contact ITM Platform support. Once enabled, please follow the steps listed below to set up your SSO.
Configuration at your company´s IDP/SSO provider
To add ITM Platform as a service provider, you typically need to add an SSO application to your SSO solution.
Depending on the type of SSO solution, the exact names/terms can vary when it comes to information that is requested. To set up the application, complete the following details:
- Application ID URI/Issuer ID: we recommend using your ITM Platform URL + /saml2. For example, if your ITM Platform company URL is https://app.itmplatform.com/mycompany, the ID will be https://app.itmplatform.com/mycompany/saml2
- Redirect URL/URI, Callback URL: https://app.itmplatform.com/WebService/SSO.asmx/Auth
- Logout URL: https://app.itmplatform.com/ITM.Web/WebService/SSO.asmx/SignOut
Setup of ITM Platform
Browse to Configuration – Organization – Company Settings and scroll to the bottom of the Company Settings page.
Fill in the required fields:
- Force SSO for all users: when this setting is enabled, Single-Sign-On will be the only and mandatory option for all users in your organization. When this setting is disabled, users can choose whether to use the regular ITM Platform login or use SSO by clicking the button “Login with SSO” at the ITM Platform login page.
- Issuer: same as the Application ID URI/Issuer ID provided during the setup on your SSO solution
- Login URL: corresponds with the SSO login page of your company. This value should be provided by your company admin or SSO provider.
- Logout URL: this value is only necessary if you would also like to logout of your SSO provider when logging out of ITM Platform. Therefore, this setting is optional. The value should be provided by your company admin or SSO provider.
- Certificate: this setting is optional but should be completed if you either want to encrypt the communication between the ITM Platform Service Provider (SP) and the IDP or when it is mandatory with the IDP. The certificate should be provided by your company admin or SSO provider.
- Fingerprint: this setting is required when using a certificate. The fingerprint should be provided by your company admin or SSO provider. You can also use a fingerprint generator like https://www.samltool.com/fingerprint.php to generate it from the certificate,
Once you are sure that all settings are correct, enable the tick-box “Enable SSO” and save. Please note that if you provide an incorrect Login URL and have enabled the setting “Force SSO for all users”, you will not be able to log in to ITM Platform. Therefore, we recommend testing the settings first without this option enabled.