Speed Up Login to GoodAccess With SSO

Single sign-on, or SSO, is a way of authenticating access to multiple online applications with a single user identity.

This means that instead of having to remember a set of login credentials for every application, you take one identity from an identity provider whom you trust and use it to log into everything. This is a highly time-efficient method of access control that can greatly simplify identity management and access control in general.

Table of contents

1. How does single sign-on work?
2. What are the pros and cons of SSO?
3. SSO for GoodAccess
4. How to set up Microsoft Azure SSO
5. How to set up Google Workspace SSO
6. How to set up Okta SSO

‍

How does single sign-on work?

The basic mechanism is that an application allows entry to a set of credentials from a trusted identity provider. This trust is given on grounds of a certificate that passes between the identity provider and the service. Think of it as a signature that tells the service provider that the identity information is legitimate.

When a user wants to gain access to an application, the service provider shares some information about the user (this information is called a token) to the SSO provider and requests authentication. If the user hasn’t already been authenticated, the identity provider carries out the authentication (username, password, MFA), and then sends a token back to the application. It validates the token against the trusted certificate, and if all checks out, the user is allowed in.

What are the pros and cons of SSO?

SSO saves time but there are drawbacks as well. Here are some upsides and downsides of single sign-on.

Pros:

• Easier access for users - SSO is enormously practical for the users because they only need to remember one set of credentials to access all of their applications.
• Simple identity management - SSO centralizes identity management by storing all identity information in one secure repository.
• Improved security - Because users need to remember fewer passwords, it is easier for them to protect and remember them.

Cons:

• Increased credential sensitivity - Credentials used for SSO require extra protection because if they were compromised, the adversary would get access to a multitude of systems. Multi-factor authentication is a must.
• Possible cost - Because a sudden unavailability of SSO would result in the loss of access to all the connected systems, you may sometimes need failover measures, which can cost money if you are using identity providers’ premium offerings.

SSO for GoodAccess

GoodAccess supports SSO with access credentials from three identity providers - Microsoft Azure, Google Workspace, and Okta.

Note: If you change the login method to SSO, all your existing members will be deleted. However, they will be automatically added back upon first login. All your devices will remain.

How to set up Microsoft Azure SSO

To enable SSO with your MS Azure identity go to the GoodAccess Control Panel. In Settings, switch to the Login & Security tab and click on Azure.

‍

‍

Here, take note of the following details, which you will need later:

• Entity ID,
• Assertion Consumer Service URL,
• Login URL,
• Relay State.

‍

‍

Now, create an application in Azure under Enterprise Applications.

‍

‍

Enter a name and choose the option “Integrate any other application you don't find in the gallery (Non-gallery)”

‍

‍

Once created, open your new app and continue with Single sign-on and SAML.‍

‍

‍

Edit the Basic SAML Configuration and enter the information from from earlier:

• Identifier (Entity ID) - Service Provider Links Entity ID
• Reply URL (Assertion Consumer Service URL) - Assertion Consumer Service URL
• Sign on URL - Type “https://sign.goodaccess.com/”
• Relay State - Type "/"

When you’ve entered everything, click Save.

Next, click on Edit User Attributes & Claims and edit the following:

‍

‍

USER.MAIL

• Name - Enter "email"
• Namespace - Leave blank
• Source - Choose Attribute
• Source Attribute - Enter "user.mail"

‍

‍

USER.PRINCIPALNAME

• Name - Enter "name"
• Namespace - Leave blank
• Source - Choose Attribute

Source attribute - Enter "user.userprincipalname"

‍

‍

Download the Azure certificate and take note of the Login URL and Azure AD Identifier for the next step.

‍

‍

In the GoodAccess Control Panel copy the following details from the previous step:

• Sign in URL - Login URL
• Entity ID - Azure AD Identifier
• X509 Signing certificate - Upload Azure certificate

When you’re done, click Save Changes.

‍

‍

Now you’re all set to connect with Azure SSO.

‍

How to set up Google Workspace SSO

To enable SSO with your Google identity, navigate to Settings, then Login & Security, and choose Google Workspace.

‍

‍

Meanwhile, in your Google Admin console (at admin.google.com) go to Apps and Web and mobile apps.

Click Add App and then Add custom SAML app.

‍

Enter the name of your app (it is up to you), and upload a logo if you wish.

‍

‍

On the Google Identity Provider details page, you will be asked to provide the SSO URL, Entity ID, and Certificate.

‍

‍

Go back to SSO Settings in the GoodAccess Control panel (from earlier), and copy the information as follows:

• Sign in URL – SSO URL (previous step)
• Entity ID – Entity ID (previous step)
• X509 Signin certificate – Certificate (previous step)

‍

Click Continue,switch back to the GoodAccess Control Panel, and look for the following information:

• Service Provider Links
• Assertion Consumer Service URL
• Login URL (type “/”)

‍

‍

Now copy these details to the Google Workspace Admin Console as follows:

• Acs URL - Assertion Consumer Service ULR (previous screen)
• Entity ID – Service provider links Entity ID (previous screen)
• State URL - Login URL
• Name ID format – enter "UNSPECIFIED"
• Name ID – enter "Basic Information > Primary email"

Then, click Continue.

‍

‍

Edit the Attributes as follows.

• First line: Basic information – Primary email -> App attributes – enter "email"
• Second line: Basic information – First name -> enter "name"

‍

‍

Open the created app in Google Workspace and click on "OFF for everyone".

‍

Change to "ON for everyone" and Save.

Congratulations, you can now connect via Google Workspace SSO.

How to set up Okta SSO

To enable SSO with your Okta identity, go to the GoodAccess Control Panel, then to Settings, switch to the Login & Security tab and click on Okta.

‍

‍

Take note of the following details which you will need later:

• Entity ID
• Assertion Consumer Service URL

‍

‍

Go to Okta, navigate to Applications, and click Create App Integration.

‍

‍

Choose SAML_2.0

‍

‍

Name your app, upload a logo, and click Next.

‍

‍

Fill out the SAML Settings as follows:

• Single Sign on URL - Assertion Consumer Service URL (from earlier)
• Audience URI (SP Entity ID) - Entity ID (from earlier)
• Default RelayState - Enter "/"
• Name ID format - Choose "Unspecified"
• Application username - Choose "Email"

Attribute Statements:

• Name - Enter "email"
• Name format - Choose "Unspecified"
• Value - Choose "user.mail"

‍

Okta may ask for your feedback.

‍

‍

Once you have created the new app, open its SAML configuration under the Sign-on tab.

‍

‍

Take note of the following information which you will need later:

• Identity Provider Single Sign-On URL
• Identity Provider Issuer
• Download certificate

‍

‍

In the GoodAccess Control Panel, copy these details as follows:

• Sign in URL - Identity Provider Single Sign-ON URL
• Entity ID - Identity Provider Issuer

X509 Signin certificate - upload certificate

‍

And you’re done. You can now connect with Okta SSO.

‍

‍