Single Sign-On with JIT Provisioning
SSO with JIT Provisioning automatically creates accounts in BigPanda when users first sign in via SSO.
Single Sign-On (SSO) is an authentication process that allows users to log in to multiple systems via a single service. You can configure an SSO integration to manage your organization’s entire membership via a third-party identity provider (IdP).
When SSO is configured for an organization, all authentication requests are routed through the third-party IdP, and users cannot log in directly to BigPanda. SSO with JIT Provisioning automatically creates user accounts in BigPanda based on pre-defined rules & properties in your SSO provider’s object when a user first signs in.
Relevant Permissions
Roles with the following permission can access the Single Sign-on section in BigPanda Settings:
| Role Name | Description |
|---|---|
| Single Sign-On | View, select, and configure a Single Sign-on provider in BigPanda Settings. |
Permission access levels can be adjusted by selecting either View or Full Access. To learn more about how BigPanda's permissions work, see the Roles Management guide.
Key Features
You can choose to integrate BigPanda with a third-party IdP to take advantage of any security controls and identity management processes that are already established in your organization. The benefits of SSO with JIT Provisioning include:
- Added security controls through the IdP, such as enforcing security policies, adding two-factor authentication, or restricting login via a corporate authentication mechanism
- Simplified password management
- Reduced password fatigue and time spent re-entering login details
- Simplified user management, onboarding, and offboarding
How It Works
After an administrator successfully authenticates on the BigPanda website via basic authentication, they can configure their organization to use a SAML 2.0-compliant, third-party IdP for delegated authentication. When SSO is configured for your organization, all authentication attempts are redirected to the third-party IdP. If a user does not have a valid session with the IdP, they are redirected to a login page where they may be challenged for their username, password, security questions, or multiple factors as determined by the IdP. The IdP then returns an “assertion” as to the identity of the user to BigPanda and they are authenticated in turn.
With BigPanda’s JIT SAML Mapping, SSO provisioning is able to create user accounts automatically based on pre-defined rules & properties in your SSO provider’s object.
JIT SSO Process
JIT SAML Provisioning
To enable JIT SAML Mapping for your organization, Professional Services offers fee-based SSO services. Contact your BigPanda Professional Services representative for more information.
Requirements
Here are some technical specifications for how BigPanda implements an SSO integration. Use this information to check whether a specific SAML provider may be able to work with BigPanda or to troubleshoot implementation problems.
| Consideration | BigPanda Functionality |
|---|---|
| Supported Federation Protocol | SAML 2.0 |
| Supported Encryption Protocol | SHA-256 |
| Scope Of User Management | Must be all BigPanda users. BigPanda does not support multiple authentication methods for the same organization. |
| Authentication Flow | Supports both SP- and IdP-initiated: - For SP-initiated, with redirect binding from the SP and POST binding from the IdP. - For IdP-initiated, with POST binding from the IdP. |
| SAML Request Signature/Assertion Type | Supports only unsigned, unencrypted assertions. |
| XML Schema | Follows standards from the SAML 2.0 core specification. |
| Username | - Must be an email address. - Must be the same in BigPanda and in the IdP. - Must have the same top-level domain for everyone in the organization (for example, [email protected]). |
| Provisioning And De-Provisioning | With BigPanda’s JIT SAML Mapping, SSO provisioning is able to create user accounts automatically based on pre-defined rules & properties in your SSO provider’s object. Manual invitation and deactivation by an administrator is also available from within the BigPanda UI. See Invite Users and Manage User Accounts. |
Supported Providers
BigPanda supports SSO with several third-party IdPs for delegated authentication.
Supported Providers are:
Before You Start
- Obtain administrator access to BigPanda.
- (Recommended) Inform users that the BigPanda login process is changing.
Your BigPanda email address must match your SSO email.
SSO Configuration
- In the top right, click the Settings gear icon, and then click Single Sign-on.
- Select the desired SSO provider.
- Follow the on-screen instructions to configure the SSO integration, and then click Logout and Test.
- From the BigPanda login page, enter your email address and leave the password blank. Then, click Log In to log in with your SSO provider.
- Validate that the login process works as expected and your account is accessible.
- In the top right, click the Settings gear icon, and then click Single Sign-on.
- Click Enable to enable SSO for everybody in your organization.
After Configuration
Inform all users that they must log in to BigPanda via SSO.
Enabling SSO Just-In-Time Provisioning
SSO Just-In-Time provisioning enables BigPanda to automatically create accounts for users that are already authenticated with their organization's SSO provider the first time they log in to BigPanda. The role of the user will be defined by the mapping rules of your SSO SAML properties, as set up during configuration.
Just-In-Time Role Sync
The role of the user will be defined by the mapping rules of your SSO SAML properties, as set up during configuration. To ensure that roles are mapped in BigPanda, ensure that the role is sent in the SAML properties with each user.
Roles from the SSO SAML properties will automatically be mapped by BigPanda each time a user signs in. When changes are made to the role in the active directory, the updates will be mapped to BigPanda upon each log in.
For organizations who onboarded BigPanda prior to August 2023, roles will only be mapped the first time a user signs in. If your organization is interested in setting up Just in Time automatic role sync, contact your BigPanda Account Team.
Before You Start
- Your organization must already have an SSO provider installed
- In order to leverage JIT provisioning, the BigPanda SAML properties must first be configured in your SSO provider console
- Contact your BigPanda Support and request a product change to enable SSO JIT for your organization
A user deleted from BigPanda will not be automatically recreated when they sign in to their organization’s SSO provider. The user must be reactivated manually by an administrator.
Disabling SSO
You may want to disable single sign-on (SSO) and require users to log in directly to BigPanda instead. After SSO is disabled, users must reset their passwords to log in to BigPanda.
Single Sign-On is controlled globally across your organization. Disabling SSO will disable it for all users, not just the admin taking the action.
Before Disabling
- Obtain administrator access to BigPanda.
- (Recommended) Inform users that the BigPanda login process is changing.
Disable SSO Steps
- In the top right, click the Settings gear icon, and then click Single Sign-on.
- Select the SSO provider that is currently configured for BigPanda.
- Click Disable SSO.
- Click Yes to confirm that you want to disable SSO for your organization.
- Log out of BigPanda.
- From the BigPanda login page, click the Forgot Password link, and then follow the instructions to reset your password.
- Validate that the login process works as expected and your account is accessible.
Your email address must match your SSO email.
After Disabling SSO
- Inform all users that they must reset their BigPanda passwords using their SSO email addresses.
- (Optional) Remove or disable the BigPanda configuration within the SSO provider's system.
Add Multiple Properties to an Okta SAML Object
You are able to configure your Okta account to include a SAML object to define account attributes. The SAML object enables you to better match the mapping rules to the needs of your BigPanda Okta integration.
In order to leverage JIT provisioning, the BigPanda SAML properties must first be configured in Okta.
To configure account attributes for your SAML object:
- Log in to your Okta panel
- Navigate to Applications > BigPanda Application
- Click the Sign On tab
- Select the edit button, in the top right corner
- Click on the small arrow icon next to the Attributes (Optional) label
Configuring SAML Attributes in Okta
- In the Attributes properties form, fill in any desired attributes
SAML Attribute Fields in Okta
- When satisfied with your changes, click Save
Case Sensitive
When defining JIT Mapping, all fields are case-sensitive
Nested Objects in SAML Objects
When the payload includes a nested object, there is a different syntax to match the nested values.
For the example payload:
"messageData":
{
"Username":
{
"mail": "shan[email protected]",
"Name": "shani"
}
}
In order to match credentials from the payload, the rule will be defined as followed:
Property - Username.mail
Operator - Equal
Value - "[email protected]"
Role - Any BigPanda role id
Updated 2 months ago