Planning a Single Sign-On implementation
Before implementing SSO, it is important to choose a specific implementation path from several options.
First, decide if you want to implement using SAML only or SAML with automatic log in. See the following articles for more information:
After deciding on your SSO implementation method, send your SAML XML file that details your federated metadata to the Pega Workforce Intelligence Service Delivery Team. Service Delivery enables SAML in your Workforce Intelligence cloud environment, and provides a URN and Assertion Consumer URL that you add to your identity provider configuration.
The SAML XML file is uploaded to the AWS Cognito authentication service, and is used to establish a basis of trust with the Identity Provider, who is responsible for sending the assertion. This metadata file should be available from all SAML Identity Providers.
You also need to decide whether you want to create the application users before or after you set up SSO. Review the following tips to help with your decision:
- If users are created before logging in: Users are automatically logged in to Workforce Intelligence when they log in to their system.
- If users are not created before logging in: When attempting to sign in, the users are added to the Application Users tab and presented with a message to have an administrator assign them roles. You can then see the users in the Application Users tab and assign roles and access. The next time the users attempt to sign in, SSO is available.
- If users are inactive: Users receive a message that they were not recognized.
- If users are SSO and the SSO process never completes (for example, login times out): Users see a button for their SSO option, which they can click to log in again.
If a user is SSO, Reset/Resend Links are no longer displayed in the Edit User portal. Also, the Forgot password email is no longer sent when a user attempts to change their password.
- Automatic SSO
You can implement SSO to automatically sign in web portal users who have already been authenticated by your company's configured SSO.
Previous topic Implementing Single Sign-On Next topic SAML