Single Sign-On (SSO) is an authentication process that allows users to log in to multiple systems via a third-party identity provider (IdP).
After an administrator successfully authenticates on the BigPanda website via basic authentication, they can configure their organization to use a SAML 2.0-compliant, third-party IdP for delegated authentication.
When SSO is configured for your organization, all authentication attempts are redirected to the third-party IdP. If a user does not have a valid session with the IdP, they are redirected to a login page where they may be challenged for their username, password, security questions, or multiple factors as determined by the IdP. The IdP then returns the successful identity authorization back to BigPanda, allowing the user to authenticate.
With BigPanda’s JIT SAML Mapping, SSO provisioning is able to create user accounts automatically based on predefined rules and properties in your SSO provider’s object.
Roles with the following permission can access the Single Sign-on section in BigPanda Settings:
|Single Sign-On||View, select, and configure a Single Sign-on provider in BigPanda Settings.|
Permission access levels can be adjusted by selecting either View or Full Access. To learn more about how BigPanda's permissions work, see the Roles Management guide.
You can choose to integrate BigPanda with a third-party IdP to take advantage of any security controls and identity management processes that are already established in your organization. The benefits of SSO include:
- Added security controls through the IdP, such as enforcing security policies, adding two-factor authentication, or restricting login via a corporate authentication mechanism.
- Simplified password management.
- Reduced password fatigue and time spent re-entering login details.
- Simplified user management, onboarding, and offboarding.
Use this information to check whether a specific SAML provider may be able to work with BigPanda, or to troubleshoot implementation problems.
|Supported Federation Protocol||SAML 2.0|
|Supported Encryption Protocol||SHA-256|
|Scope Of User Management||Must be all BigPanda users. BigPanda does not support multiple authentication methods for the same organization.|
|Authentication Flow||Supports both SP- and IdP-initiated:|
- For SP-initiated, with redirect binding from the SP and POST binding from the IdP.
- For IdP-initiated, with POST binding from the IdP.
|SAML Request Signature/Assertion Type||Supports only unsigned, unencrypted assertions.|
|XML Schema||Follows standards from the SAML 2.0 core specification.|
|Username||- Must be an email address.|
- Must be the same in BigPanda and the IdP.
|Provisioning And De-Provisioning||Manual invitation and deactivation by an administrator from within the BigPanda UI, or via the SCIM Users API. See Invite Users and Manage User Accounts.|
BigPanda is SAML2 compatible and supports SSO with several third-party IdPs for delegated authentication. Contact your BigPanda Support to check whether your provider is supported.
You may want to enable single sign-on (SSO) to require users to log in to BigPanda via a third-party identity provider (IdP). After SSO is enabled, users must use the SSO provider to log in to BigPanda.
- Obtain administrator access to BigPanda.
- (Recommended) Inform users that the BigPanda login process is changing.
Your BigPanda email address must match your SSO email.
- In the top right, click the Settings icon, and then click Single Sign-on.
- Select the desired SSO provider.
- Follow the on-screen instructions to configure the SSO integration, and then click Logout and Test.
- From the BigPanda login page, enter your email address and leave the password blank. Then, click Log In to log in with your SSO provider.
- Validate that the login process works as expected and your account is accessible.
Contact BigPanda support for assistance, if needed.
- In the top right, click the Settings icon, and then click Single Sign-on.
- Click Enable to enable SSO for everybody in your organization.
- Inform all users that they must log in to BigPanda via SSO.
With SSO Just-In-Time, users that are already authenticated with their organization's SSO provider are created automatically the first time they log in to BigPanda. The role of the user is determined by their email domain, which is established upon SSO JIT configuration.
BigPanda Professional Services provides fee-based SSO services to enable SSO JIT for your organization.
- Your organization must already have an SSO provider installed.
- Your organization must provide the BigPanda support team with the domains and their corresponding default roles to configure into SSO JIT.
A user deleted from BigPanda will not be automatically recreated when they sign in to their organization’s SSO provider. The user must be reactivated manually by an administrator.
You may want to disable single sign-on (SSO) and require users to log in directly to BigPanda instead. After SSO is disabled, users must reset their passwords to log in to BigPanda.
To disable SSO, you must be signed in with administrator access to BigPanda.
Single Sign-On is controlled globally across your organization. Disabling SSO will disable it for all users, not just the admin taking the action.
We recommend informing all BigPanda users that the login process will be changing prior to disabling SSO.
To disable SSO for your organization:
- In the top right, click the Settings icon and then click Single Sign-on.
- Select the SSO provider that is currently configured for BigPanda.
- Click Disable SSO.
- Click Yes to confirm that you want to disable SSO for your organization.
After following the above steps to disable SSO, the BigPanda configuration can be removed from your SSO provider’s system. We recommend that administrators validate that the new login process works as expected by testing their own user account.
All BigPanda users will need to switch to the manual login process.
- Log out of BigPanda.
- Log back in using the email address that was tied to your SSO.
- Follow the instructions to Reset your password.
What is the Audience Restriction / Entity ID in production?
What is the ACS used by BigPanda?
BigPanda provides a unique ACS per instance of BigPanda. If you have a Prod and Sandbox instance (or another multi-instance configuration), the ACS will be unique for each one and requires additional steps to enable SSO. Contact Support for assistance.
What is the unique identifier in BigPanda for users?
BigPanda defines unique users based on their registered email address. Each email address can only be used in a single instance of BigPanda.
What are the required fields for Users? Can other fields be sent in the SAML assertion?
Email is the only required attribute for a user, but we also suggest including a display name. Email is the primary identifier for users and is also leveraged for JIT. BigPanda also optionally supports a phone number. Additional fields can be included in the SAML assertion, but they will be ignored by BigPanda.
How will users login to BigPanda with SSO enabled?
Depending on the chosen SSO flow, users will access:
- IdP Initiated - After authenticating with their IdP, users select the BigPanda icon in their SSO portal.
- SP Initiated - Users sign in through BigPanda login page https://a.bigpanda.io/ by entering their username. BigPanda will then authenticate that user against their SSO tool and return the required details to pass the user into the console.
Can SSO exist with other login methods?
When SSO is enabled, users can only access BigPanda through the SSO login. BigPanda support does have the ability to configure up to two users who can bypass SSO authentication, but this should be reserved only for admin users who need emergency access in the event of SSO issues.
Does BigPanda require email verification for their account to activate or on first login?
When SSO is enabled, users will get a welcome email sent once configured, but there is no requirement of acknowledgement in order to access BigPanda. On first login, users will be prompted to create a password, but this is asked in the event SSO becomes disabled for any reason in the future.
How users are created in BigPanda?
With SSO enabled, users must be added to the permissioned Group within the IdP to be permissioned to BigPanda. With SSO Disabled, users can be added by user profiles with User Management Write privileges.
How are users removed from BigPanda?
With SSO enabled, when a user is removed from the iDP AD group, they will lose their ability to login to BigPanda. In terms of the user deletion, we currently don't support any deletions via SAML. Their user profiles would need to be either manually deleted or updated through our Users API. We also have the concept of a hard deletion which can be executed through our support team.
After authentication, does the solution support automated lifecycle management (auto provisioning and deprovisioning?)
BigPanda supports Provisioning, but does not support automated de-provisioning of user accounts.
Does BigPanda have a Users API?
BigPanda has a SCIM Users API available.
Does BigPanda support an idle session timeout?
Yes, BigPanda supports an idle session (not maximum) and is configurable on the BigPanda backend. Contact Support for assistance.
Is BigPanda a supported application on the Okta Integration Network?
Yes, BigPanda is a supported app. A sample assertion is not available on the network.
Can BigPanda support a custom logout URL?
Yes, contact BigPanda support for assistance.
Is Multi-Factor Authentication supported?
No - MFA is not supported at this time.
Find your way around the BigPanda Settings screen
Learn about User Management in BigPanda
Learn how to control account access levels with Roles Management
Updated 15 days ago