Managing Users with SSO

Single Sign-On (SSO) integration between an Identity Provider (IdP) is being modified to better support the creation of custom user groups and security roles in the Syniti Knowledge Platform (SKP).

Existing SSO Users

• Your current SSO integration will continue to function as before.

• Users assigned to specific IdP groups will automatically be assigned to the same system user groups in the SKP.

• Admins from the IdP admin group will automatically be assigned to the Administrator user group in SKP. This is the same for Business Admin, Author and Viewer groups as well.

• Removal from the assigned SKP user group is not permanent; SSO will reassign the user groups on the user’s next login to keep the IdP group and SKP user group in sync.

• Any additional SKP user groups assigned to a user will not be affected by the SSO logic.

Disabling IdP Group Integration

• Disabling IdP group integration allows full control over creating and managing SKP user groups and roles.

• New users will still be authenticated via SSO, but default to any user group set as a Default User Group.

  Note

  By default, only the Viewer user group is set as a Default User Group for new tenants. This can be changed by editing the user group. If no user groups are set as a Default User Group, users will not be granted access to the SKP.

• An SKP administrator can then assign necessary permissions by adding users to relevant groups.

Enabling SSO

Syniti engineers are available to connect your Knowledge Platform products with your organization's SSO Identity Provider for a seamless and secure login experience. Before proceeding to the Setup section, please review the Requirements and send any questions to Syniti Tenant Provisioning.

Requirements

1. Your SSO Identity Provider (IdP) is on our list of certified or supported providers.

2. Your IdP specifies a user’s email address, full name, group membership and immutable ID via an identity token or endpoint. In the case of SAML, the identity token is called the assertion.

3. Your IdP uses a 2-hour or longer lifespan for session tokens and identity tokens.

Setup

The setup process begins when you submit a request, which requires all of the following information:

1. Tenant ID—Get your {tenant id} by logging in and clicking your tenant name in the user menu in the top-right.
    

2. IT and/or Security contact email(s)—Syniti engineers may need to request additional technical details from your organization's IT and/or Security team(s). List the email address of each person who should be included in these requests.

3. All possible user email domains—List each user email domain that might ever need to access your Knowledge Platform.

4. SSO Identity Provider (IdP)—Certified providers are listed here. Any provider using the SAML 2.0, OAuth 2.0, or OpenID Connect protocol is also supported.

5. SSO Protocol - SAML 2.0, OAuth 2.0, or OpenID Connect

   Warning : 

   If Okta is your organization's IdP, then we only support OpenID Connect. Okta configurations with SAML 2.0 will often break the 2-hour lifespan requirement listed above.

6. Required attribute names—Email address, full name, group membership, and immutable ID. List the names of these required attributes exactly as they appear in the identity token or endpoint. In the case of SAML, the identity token is called the assertion.

If your SSO Protocol is SAML 2.0, then you'll need to include this in your ticket:

1. SAML metadata link—This is your organization's SAML metadata. We strongly recommend providing a URL link to the metadata XML so that we can automatically monitor for updates. This allows you to change certificates or other configurations without the need to contact us. Alternatively, you can attach static metadata in an XML file.

2. Syniti SAML metadata—You should save Syniti's SAML metadata link to configure your IdP for the SKP. Multiple links are available, but you need to use the one that matches your SKP tenant region.

   • Americas: https://api.syniti.com/saml/metadata.xml

   • Australia: https://api.syniti.au/saml/metadata.xml

   • EMEA: https://api.syniti.eu/saml/metadata.xml

   • Canada: https://api.syniti.ca/saml/metadata.xml

If your SSO Protocol is OAuth 2.0 or OpenID Connect, you must include the following information in your ticket:

1. Authorization endpoint—This is a URL that may look like "https://exampledomain.com/login"

2. Token endpoint—This is a URL that may look like "https://exampledomain.com/token"

3. User information endpoint (optional)—This is only needed when one of the required attributes is not available in the above endpoints. The required attributes are email address, full name, group membership, & immutable ID. It may look like "https://exampledomain.com/userinfo".

4. Client ID and Secret—Send via encrypted email to T1@syniti.com

   Note : 

   Do NOT provide these in the ticket.

Send any questions to Syniti Tenant Provisioning.

Testing and Cutover

Once all the necessary information has been provided and clarified in the Support ticket (and sensitive items sent via encrypted email), Syniti engineers will prepare and test the Knowledge Platform SSO configuration.

Before we schedule the cutover date with you in the Support ticket, you'll be asked to provide user accounts already in your Knowledge Platform to be migrated over to SSO. This list of user accounts must include the user email address, user role from the Knowledge Platform, and their immutable ID from the IdP. You can ignore any user accounts that are not migrating to SSO.