Single Sign-On

You can configure an SSO integration to manage your organization’s BigPanda users via a third-party identity provider.

Single Sign-On (SSO) is an authentication process that allows users to log in to multiple systems via a third-party identity provider (IdP).

After an administrator successfully authenticates on the BigPanda website via basic authentication, they can configure their organization to use a SAML 2.0-compliant, third-party IdP for delegated authentication.

When SSO is configured for your organization, all authentication attempts are redirected to the third-party IdP. If a user does not have a valid session with the IdP, they are redirected to a login page where they may be challenged for their username, password, security questions, or multiple factors as determined by the IdP. The IdP then returns the successful identity authorization back to BigPanda, allowing the user to authenticate.

👍

With BigPanda’s JIT SAML Mapping, SSO provisioning is able to create user accounts automatically based on predefined rules and properties in your SSO provider’s object.

Relevant Permissions

Roles with the following permissions can access the Single Sign-on section in the BigPanda Settings:

Role NameDescription
Sso_ReadRead-only - view the Single Sign-on section.
Sso_Full_AccessFull access - view, select, add, configure, validate and integrate a Single Sign-on provider.

To learn more about how BigPanda's permissions work, see the Roles Management guide.

Key Features

You can choose to integrate BigPanda with a third-party IdP to take advantage of any security controls and identity management processes that are already established in your organization. The benefits of SSO include:

  • Added security controls through the IdP, such as enforcing security policies, adding two-factor authentication, or restricting login via a corporate authentication mechanism.
  • Simplified password management.
  • Reduced password fatigue and time spent re-entering login details.
  • Simplified user management, onboarding, and offboarding.

Requirements

Use this information to check whether a specific SAML provider may be able to work with BigPanda, or to troubleshoot implementation problems.

ConsiderationBigPanda Functionality
Scope Of User ManagementMust be all BigPanda users. BigPanda does not support multiple authentication methods for the same organization.
Authentication FlowSupports both SP- and IdP-initiated:

- For SP-initiated, with redirect binding from the SP and POST binding from the IdP.

- For IdP-initiated, with POST binding from the IdP.
Assertion TypeSupports only unsigned, unencrypted assertions.
XML SchemaFollows standards from the SAML 2.0 core specification.
Username- Must be an email address.

- Must be the same in BigPanda and the IdP.

- Must have the same top-level domain for everyone in the organization (for example, [email protected]).
Provisioning And De-ProvisioningManual invitation and deactivation by an administrator from within the BigPanda UI. See Invite Users and Manage User Accounts.

Supported Providers

BigPanda supports SSO with several third-party IdPs for delegated authentication. Contact BigPanda Support to check whether your provider is supported.

Enable SSO

You may want to enable single sign-on (SSO) to require users to log in to BigPanda via a third-party identity provider (IdP). After SSO is enabled, users must use the SSO provider to log in to BigPanda.

Before You Start

  • Obtain administrator access to BigPanda.
  • (Recommended) Inform users that the BigPanda login process is changing.

❗️

Your BigPanda email address must match your SSO email.

Procedure

  1. In the top right, click the Settings icon, and then click Single Sign-on.
  2. Select the desired SSO provider.
  3. Follow the on-screen instructions to configure the SSO integration, and then click Logout and Test.
  4. From the BigPanda login page, enter your email address and leave the password blank. Then, click Log In to log in with your SSO provider.
  5. Validate that the login process works as expected and your account is accessible.
    Contact BigPanda support for assistance, if needed.
  6. In the top right, click the Settings icon, and then click Single Sign-on.
  7. Click Enable to enable SSO for everybody in your organization.
  8. Inform all users that they must log in to BigPanda via SSO.

Enable SSO Just-In-Time Provisioning

With SSO Just-In-Time, users that are already authenticated with their organization's SSO provider are created automatically the first time they log in to BigPanda. The role of the user is determined by their email domain, which is established upon SSO JIT configuration.
To enable SSO JIT for your organization, contact BigPanda Support.

Before You Start

  • Your organization must already have an SSO provider installed.
  • Your organization must provide the BigPanda support team with the domains and their corresponding default roles to configure into SSO JIT.

❗️

A user deleted from BigPanda will not be automatically recreated when they sign in to their organization’s SSO provider. The user must be reactivated manually by an administrator.

Disable SSO

You may want to disable single sign-on (SSO) and require users to log in directly to BigPanda instead. After SSO is disabled, users must reset their passwords to log in to BigPanda.

To disable SSO, you must be signed in with administrator access to BigPanda.

❗️

Single Sign-On is controlled globally across your organization. Disabling SSO will disable it for all users, not just the admin taking the action.

We recommend informing all BigPanda users that the login process will be changing prior to disabling SSO.

To disable SSO for your organization:

  1. In the top right, click the Settings icon and then click Single Sign-on.
  2. Select the SSO provider that is currently configured for BigPanda.
  3. Click Disable SSO.
  4. Click Yes to confirm that you want to disable SSO for your organization.

After following the above steps to disable SSO, the BigPanda configuration can be removed from your SSO provider’s system. We recommend that administrators validate that the new login process works as expected by testing their own user account.

All BigPanda users will need to switch to the manual login process.

  • Log out of BigPanda.
  • Log back in using the email address that was tied to your SSO.
  • Follow the instructions to Reset your password.

Next Steps

Find your way around the BigPanda Settings screen

Learn about User Management in BigPanda

Learn how to control account access levels with Roles Management