Single Sign-On

You can configure an SSO integration to manage your organization’s BigPanda users via a third-party identity provider.

Single Sign-On (SSO) is an authentication process that allows users to log in to multiple systems via a third-party identity provider (IdP).

After an administrator successfully authenticates on the BigPanda website via basic authentication, they can configure their organization to use a SAML 2.0-compliant, third-party IdP for delegated authentication.

When SSO is configured for your organization, all authentication attempts are redirected to the third-party IdP. If a user does not have a valid session with the IdP, they are redirected to a login page where they may be challenged for their username, password, security questions, or multiple factors as determined by the IdP. The IdP then returns the successful identity authorization back to BigPanda, allowing the user to authenticate.

👍

SSO with Just-In-Time (JIT) Provisioning

With BigPanda’s JIT SAML Mapping, SSO provisioning is able to create user accounts automatically based on predefined rules and properties in your SSO provider’s object. See the SSO Configuration documentation for more information.

Relevant Permissions

Roles with the following permission can access the Single Sign-on section in BigPanda Settings:

Role NameDescription
Single Sign-OnView, select, and configure a Single Sign-on provider in BigPanda Settings.

Permission access levels can be adjusted by selecting either View or Full Access. To learn more about how BigPanda's permissions work, see the Roles Management guide.

Key Features

You can choose to integrate BigPanda with a third-party IdP to take advantage of any security controls and identity management processes that are already established in your organization. The benefits of SSO include:

  • Added security controls through the IdP, such as enforcing security policies, adding two-factor authentication, or restricting login via a corporate authentication mechanism.
  • Simplified password management.
  • Reduced password fatigue and time spent re-entering login details.
  • Simplified user management, onboarding, and offboarding.

Requirements

Use this information to check whether a specific SAML provider may be able to work with BigPanda, or to troubleshoot implementation problems.

ConsiderationBigPanda Functionality
Supported Federation ProtocolSAML 2.0
Supported Encryption ProtocolSHA-256
Scope Of User ManagementMust be all BigPanda users. BigPanda does not support multiple authentication methods for the same organization.
Authentication FlowSupports both SP- and IdP-initiated:
- For SP-initiated, with redirect binding from the SP and POST binding from the IdP.
- For IdP-initiated, with POST binding from the IdP.
SAML Request Signature/Assertion TypeSupports only unsigned, unencrypted assertions.
XML SchemaFollows standards from the SAML 2.0 core specification.
Username- Must be an email address.
- Must be the same in BigPanda and the IdP.
Provisioning And De-ProvisioningManual invitation and deactivation by an administrator from within the BigPanda UI, or via the SCIM Users API. See Invite Users and Manage User Accounts.

Supported Providers

BigPanda is SAML2 compatible and supports SSO with several third-party IdPs for delegated authentication. Contact your BigPanda Support to check whether your provider is supported.

Enable SSO

You may want to enable single sign-on (SSO) to require users to log in to BigPanda via a third-party identity provider (IdP). After SSO is enabled, users must use the SSO provider to log in to BigPanda.

Before you enable SSO, you will need to:

  • Obtain administrator access to BigPanda.
  • (Recommended) Inform users that the BigPanda login process is changing.

❗️

Email Matching

Your BigPanda email address must match your SSO email.

To enable SSO in BigPanda:

  1. In the top right, click the Settings icon, and then click Single Sign-on.
  2. Select the desired SSO provider.
  3. Follow the on-screen instructions to configure the SSO integration, and then click Logout and Test.
  4. From the BigPanda login page, enter your email address and leave the password blank. Then, click Log In to log in with your SSO provider.
  5. Validate that the login process works as expected and your account is accessible.
    Contact BigPanda support for assistance, if needed.
  6. In the top right, click the Settings icon, and then click Single Sign-on.
  7. Click Enable to enable SSO for everybody in your organization.
  8. Inform all users that they must log in to BigPanda via SSO.

SSO Just-In-Time Provisioning

SSO with Just-In-Time (JIT) Provisioning automatically creates user accounts in BigPanda when users first log in via SSO, eliminating the need for manual account creation. Account creation is based on rules and properties defined in your SSO provider’s object.

With JIT Security Assertion Markup Language (SAML) mapping, you can also configure roles to automatically sync to BigPanda each time a user logs in.

To enable SSO JIT for your organization, see the SSO Configuration documentation.

Disable SSO

You may want to disable single sign-on (SSO) and require users to log in directly to BigPanda instead. After SSO is disabled, users must reset their passwords to log in to BigPanda.

To disable SSO, you must be signed in with administrator access to BigPanda.

❗️

Single Sign-On is controlled globally across your organization. Disabling SSO will disable it for all users, not just the admin taking the action.

We recommend informing all BigPanda users that the login process will be changing prior to disabling SSO.

To disable SSO for your organization:

  1. In the top right, click the Settings icon and then click Single Sign-on.
  2. Select the SSO provider that is currently configured for BigPanda.
  3. Click Disable SSO.
  4. Click Yes to confirm that you want to disable SSO for your organization.

After following the above steps to disable SSO, the BigPanda configuration can be removed from your SSO provider’s system. We recommend that administrators validate that the new login process works as expected by testing their own user account.

All BigPanda users will need to switch to the manual login process.

  • Log out of BigPanda.
  • Log back in using the email address that was tied to your SSO.
  • Follow the instructions to Reset your password.

Frequently Asked Questions

SSO Protocols

What is the Audience Restriction / Entity ID in production?

https://bigpanda.io/SAML2

What is the ACS used by BigPanda?

BigPanda provides a unique ACS per instance of BigPanda. If you have a Prod and Sandbox instance (or another multi-instance configuration), the ACS will be unique for each one and requires additional steps to enable SSO. Contact Support for assistance.

User Identification

What is the unique identifier in BigPanda for users?

BigPanda defines unique users based on their registered email address. Each email address can only be used in a single instance of BigPanda.

What are the required fields for Users? Can other fields be sent in the SAML assertion?

Email is the only required attribute for a user, but we also suggest including a display name. Email is the primary identifier for users and is also leveraged for JIT. BigPanda also optionally supports a phone number. Additional fields can be included in the SAML assertion, but they will be ignored by BigPanda.

How will users login to BigPanda with SSO enabled?

Depending on the chosen SSO flow, users will access:

  • IdP Initiated - After authenticating with their IdP, users select the BigPanda icon in their SSO portal.
  • SP Initiated - Users sign in through BigPanda login page https://a.bigpanda.io/ by entering their username. BigPanda will then authenticate that user against their SSO tool and return the required details to pass the user into the console.

Lifecycle Management

Can SSO exist with other login methods?

When SSO is enabled, users can only access BigPanda through the SSO login. BigPanda support does have the ability to configure up to two users who can bypass SSO authentication, but this should be reserved only for admin users who need emergency access in the event of SSO issues.

Does BigPanda require email verification for their account to activate or on first login?

When SSO is enabled, users will get a welcome email sent once configured, but there is no requirement of acknowledgement in order to access BigPanda. On first login, users will be prompted to create a password, but this is asked in the event SSO becomes disabled for any reason in the future.

How users are created in BigPanda?

With SSO enabled, users must be added to the permissioned Group within the IdP to be permissioned to BigPanda. With SSO Disabled, users can be added by user profiles with User Management Write privileges.

How are users removed from BigPanda?

With SSO enabled, when a user is removed from the iDP AD group, they will lose their ability to login to BigPanda. In terms of the user deletion, we currently don't support any deletions via SAML. Their user profiles would need to be either manually deleted or updated through our Users API. We also have the concept of a hard deletion which can be executed through our support team.

After authentication, does the solution support automated lifecycle management (auto provisioning and deprovisioning?)

BigPanda supports Provisioning, but does not support automated de-provisioning of user accounts.

General

How do I update my SSO certificate?

To update your SSO certificate, you will need to disable SSO from within the BigPanda UI, and then enable it again using your new certificate. See the Disable SSO and Enable SSO sections for instructions.

🚧

Custom Logout URL

If you have a custom logout URL, the BigPanda support team will need to update the certificate manually. Contact BigPanda Support for assistance.

Does BigPanda have a Users API?

BigPanda has a SCIM Users API available.

Does BigPanda support an idle session timeout?

Yes, BigPanda supports an idle session (not maximum) and is configurable on the BigPanda backend. Contact Support for assistance.

Is BigPanda a supported application on the Okta Integration Network?

Yes, BigPanda is a supported app. A sample assertion is not available on the network.

Can BigPanda support a custom logout URL?

Yes, contact BigPanda support for assistance.

Is Multi-Factor Authentication supported?

No - MFA is not supported at this time.

Next Steps

Find your way around the BigPanda Settings screen

Learn about User Management in BigPanda

Learn how to control account access levels with Roles Management