Suggested authentication and member management structure
When using the Networked Enterprise Edition, we recommend that customers use an IdP for user authentication in combination with the ILST for managing membership (syncing from an AD). It is also recommended that each spoke site uses its own Directory, ILST, and authentication method (e.g an IdP).
How it works
Using these two tools, a user's membership is directly synced to their spoke, and users must authenticate with their spoke before being able to access (e.g. log in) the hub. Some content creators and administrators may be given credentials to sign in directly to the hub in order to manage enterprise-wide collaborative resources.
Creating a session
Signing into either the hub, or a spoke site, creates an Igloo Session. With an active session, the user can navigate to other workplaces within the Networked Enterprise without signing in again. Access and their membership will still control what they can see and do in either the hub or any spoke site.
|Playbook Tip: Avoid syncing membership with the hub|
Syncing members directly to the hub using the ILST should be avoided. Using multiple ILSTs to sync to a single workplace can cause conflicts in which members get added or removed. This is avoided by using separate ILST syncs for each spoke. When using spoke-specific member syncing, if a user is revoked from a spoke they will only be removed from that spoke. The user will still need to be removed from the hub if they are no longer part of the networked enterprise.