Authentication Configuration

Maegan Morrison
Maegan Morrison
  • Updated

There are three levels to Single Sign-On (SSO) integration in AnswerRocket:
1. Authentication
2. Account Creation
3. Permissions

Each level builds upon the previous one to provide a comprehensive SSO experience.

 

Level 1: Authentication

At this level, SSO is used solely for authentication. If a user has an existing account in AnswerRocket and their SSO email matches their AnswerRocket email, they are authenticated and granted access to the product.

Process:
1. User attempts to log in via SSO.
2. The system checks if the user's SSO email matches an existing AnswerRocket account email.
3. If a match is found, the user is authenticated and allowed to access the product.

 

Level 2: Account Creation


In addition to authentication, this level allows for automatic account creation. If a user does not already exist in AnswerRocket but successfully authenticates via SSO, an account is created for them. Initially, they have minimal permissions.

Process:
1. User attempts to log in via SSO.
2. If no existing AnswerRocket account matches the SSO email, a new account is created.
3. The new user is granted access but is restricted to basic permissions (e.g., access to Chat) and is placed in the "Everyone" group.

 

Level 3: Permissions


This level enhances the integration by mapping Identity Provider (IdP) group assignments to AnswerRocket permissions and groups. User permissions and group assignments are dynamically adjusted based on their IdP group memberships.

Process:
1. User logs in via SSO.
2. The system retrieves the user's IdP group assignments.
3. IdP groups are mapped to AnswerRocket permissions and groups according to predefined mappings.
4. The user is assigned the cumulative rights and group memberships based on all their IdP groups.
5. Any manual changes made through the AnswerRocket UI are overwritten upon each SSO sign-in.

 

Authentication: Ensures users with matching emails in SSO and AnswerRocket are authenticated.
Account Creation: Allows for automatic account creation for users passing SSO, with basic permissions.
Permissions: Dynamically assigns permissions and groups based on IdP group memberships, ensuring comprehensive and consistent user management.

This structured approach ensures seamless and secure access management within AnswerRocket, leveraging the full capabilities of SSO.

 

Configuring SSO

From the Admin Tools, the default page is Authentication Configuration. This is where you will manage and configure your SSO (single sign-on) options.

Here you can enable or disable AnswerRocket Authentication or Google Authentication.

Authentication Admin Page.jpg

 

Click on an authentication to open the configuration options.

AnswerRocket Authentication.jpg

 

You can also add or edit SSO and LDAP authentication configurations under their respective sections.

SSO Authentication.jpg

For more information on setting up an Azure SSO configuration, click here.

 

If you would like to edit SSO group mappings, you can click on an existing SSO configuration and visit the SSO Groups tab. Here you can add, edit, and view mappings between SSO groups and AnswerRocket groups and roles.

SSO Groups.jpg

 

Please Note: Today, SSO group mappings are configured globally despite being located under individual SSO configurations. This may be addressed in future iterations. This also means you will need at least one SSO configuration saved to begin editing group mappings.

Was this article helpful?

Comments

0 comments

Article is closed for comments.