Single Sign On (SSO) addresses the challenge of having a different login for each of the systems your members access, unifying them with a single set of credentials. It makes it easier for members to access your digital workplace, letting them skip over the login and get straight to work. SSO has become more and more popular with clients over the last several years, as the architecture of larger organizations shifts to support it. 

Igloo supports Single Sign On through SAML 2.0, which is the language the platform uses to communicate with Identity Providers. Members log in to the Identity Provider, which passes their session (but never their password) over to compatible services, giving them a seamless login experience as they move from platform to platform. 

Identity Providers

Your Identity Provider (IdP) is the service that manages your members identities and passes them to various services. These can be integrated into on prem directory solutions, or in the cloud. Some examples of SAML 2.0 compatible Identity Providers are: 

• Active Directory Federated Services (ADFS)
• Azure Single Sign On
• Google SSO
• Okta

If you're already using one of these IdPs to handles authentication, adding Igloo to that service is an easy process. 

SSO and sessions

Sessions determine how long your login lasts. Igloo sessions can be configured from the Sign In Settings area of the Control Panel. They can be as short as a minute, or as long as thirty days. 

One of the side effects of integrating with an Identity Provider is that it introduces a second session into people's Igloo experience. Logging into an IdP like Google creates a session with Google, and as long as that session is active, you won't have to log into your Igloo. Instead, your session with Google will send an assertion to Igloo to create an Igloo session. 

For people concerned with login security, it's important to maintain firm control over the times of both sessions. Otherwise your members might find themselves in situations where their IdP session has expired but their Igloo session is still active, or vice versa. The best practices here is to keep them the same, or to have the Igloo session be shorter than the IdP session. That way it's always the IdP in charge of session control. 

SSO and integrations

One of the most common questions we get is about how SSO interacts with various integrations. When activating an integration for the first time, members have to sign in and authorize the Igloo connector to access the information they need. Whether or not they can skip the sign in through SSO depends on the answer to a few questions. 

• Does the service you're integrating with support SSO through that method? 
• Is your Identity Provider set up to manage both Igloo and the integrated service? 

If the answer to both of those is yes, you're in business. People with active IdP sessions will skip the login and be able to authorize it directly. it saves them a bit of time and a few clicks, which can decrease the friction in that area of your digital workplace. Services like Office 365 and Google support this feature out of the box. 

Unifying logins through SSO can save people a lot of time when navigating your application ecosystem, as well as giving you a central place to manage members' identities. 

If you have questions about the Igloo platform, workflows, or best practices, you can leave a comment here, or ask a question in the Community area.