Single sign-on, or SSO, is a way of authenticating access to multiple online applications with a single user identity.
This means that instead of having to remember a set of login credentials for every application, you take one identity from an identity provider whom you trust and use it to log into everything. This is a highly time-efficient method of access control that can greatly simplify identity management and access control in general.
Table of contents
The basic mechanism is that an application allows entry to a set of credentials from a trusted identity provider. This trust is given on grounds of a certificate that passes between the identity provider and the service. Think of it as a signature that tells the service provider that the identity information is legitimate.
When a user wants to gain access to an application, the service provider shares some information about the user (this information is called a token) to the SSO provider and requests authentication. If the user hasn’t already been authenticated, the identity provider carries out the authentication (username, password, MFA), and then sends a token back to the application. It validates the token against the trusted certificate, and if all checks out, the user is allowed in.
SSO saves time but there are drawbacks as well. Here are some upsides and downsides of single sign-on.
Pros:
Cons:
GoodAccess supports SSO with access credentials from three identity providers - Microsoft Azure, Google Workspace, and Okta.
Note: If you change the login method to SSO, all your existing members will be deleted. However, they will be automatically added back upon first login. All your devices will remain.
To enable SSO with your MS Azure identity go to the GoodAccess Control Panel. In Settings, switch to the Login & Security tab and click on Azure.
Here, take note of the following details, which you will need later:
Now, create an application in Azure under Enterprise Applications.
Enter a name and choose the option “Integrate any other application you don't find in the gallery (Non-gallery)”
Once created, open your new app and continue with Single sign-on and SAML.
Edit the Basic SAML Configuration and enter the information from from earlier:
When you’ve entered everything, click Save.
Next, click on Edit User Attributes & Claims and edit the following:
USER.MAIL
USER.PRINCIPALNAME
Source attribute - Enter "user.userprincipalname"
Download the Azure certificate and take note of the Login URL and Azure AD Identifier for the next step.
In the GoodAccess Control Panel copy the following details from the previous step:
When you’re done, click Save Changes.
Now you’re all set to connect with Azure SSO.
To enable SSO with your Google identity, navigate to Settings, then Login & Security, and choose Google Workspace.
Meanwhile, in your Google Admin console (at admin.google.com) go to Apps and Web and mobile apps.
Click Add App and then Add custom SAML app.
Enter the name of your app (it is up to you), and upload a logo if you wish.
On the Google Identity Provider details page, you will be asked to provide the SSO URL, Entity ID, and Certificate.
Go back to SSO Settings in the GoodAccess Control panel (from earlier), and copy the information as follows:
Click Continue,switch back to the GoodAccess Control Panel, and look for the following information:
Now copy these details to the Google Workspace Admin Console as follows:
Then, click Continue.
Edit the Attributes as follows.
Open the created app in Google Workspace and click on "OFF for everyone".
Change to "ON for everyone" and Save.
Congratulations, you can now connect via Google Workspace SSO.
To enable SSO with your Okta identity, go to the GoodAccess Control Panel, then to Settings, switch to the Login & Security tab and click on Okta.
Take note of the following details which you will need later:
Go to Okta, navigate to Applications, and click Create App Integration.
Choose SAML_2.0
Name your app, upload a logo, and click Next.
Fill out the SAML Settings as follows:
Attribute Statements:
Okta may ask for your feedback.
Once you have created the new app, open its SAML configuration under the Sign-on tab.
Take note of the following information which you will need later:
In the GoodAccess Control Panel, copy these details as follows:
X509 Signin certificate - upload certificate
And you’re done. You can now connect with Okta SSO.