1. foundU
  2. Advanced Settings
  3. Platform Settings

SSO - Enabling and using single sign-on

Avatar
foundU

Using single sign-on within foundU

SSO (Single Sign-on) is an authentication tool that allows a user to log in to several independent software systems using one single Login ID.

If you currently use a single sign-on provider in your business, you may want to set it up to access foundU.

If you don't currently use SSO, you may consider it as benefits include:

  • Users can access their applications and software systems faster
  • Your admins won't have to memorise several passwords, including foundU
  • Centralised user management across all systems for an employer, which allows a user to be deactivated across multiple software systems at once.

This image illustrates how SSO simplifies authentication across multiple software systems.

If you use Microsoft Azure as your ID Provider, you will be ready to set this up, as foundU is available on the Azure Marketplace. Please use the link to help you interpret the information needed to configure Azure.

SS

If your system admin requires further assistance, there is also this Azure tutorial.

Enabling SSO on your platform

Before you start

SSO will most likely be implemented in your business by a System Admin or a similar role. To begin the SSO process, navigate to Platform Settings > Single Sign-on.

To begin SSO Setup and allow Users to sign in using an ID Provider, you will follow the basic process below:

  • Enabling the SSO toggle on your platform.
  • Providing SSO values to your ID provider - located in the foundU Settings Section.
  • Entering the unique identifiers from your ID provider - located in the Identity Provider Setting Section.
  • Consider the Direct Login Configurations that best suit your business.

  • Enter Single Sign-on emails for your employees.


Begin your SSO setup

To begin your Single Sign-On setup:

  1. Under General > slide the 'Enable Single Sign-on' toggle to 'Yes'. 
  2. In the foundU Settings Section - (These will be pre-populated with your platform information). These are the values you will need to give to your ID provider to configure your unique setup, including:
    • Identifier or Entity ID
    • Reply URL
    • Logout URL
    • For more information on each of these, please hover over the 'i' tooltip.
  3. You'll then need to input information into the Identity Provider settings section. You will need to obtain these from your chosen ID Provider.
    • Entity ID
    • SSO Service URL
    • SSO Logout Service URL
    • User Access URL
    • X509 Certificate- please upload a PEM-formatted file 

Once complete, you need to save changes in the Task Bar at the bottom of the page. If you have made an error, you will receive an error from your ID provider (i.e. Microsoft).

After SSO is set up, you will need to address the Direct Logins configuration section and then assign single sign-on emails to your employees.


Choosing your direct login configurations

In this section, you will specify which domains must use SSO as the only login option. This will ensure your employees are utilising what you have set up for them.

To begin Direct Login configurations:

  1. In the first box, list all the domains you would like to use SSO exclusively for logging in.
    • These domains must use SSO. By listing them here, you are blocking direct login.
    • Separate multiple domains by commas to ensure it does not error
      • For example, we have multiple businesses, sowe  have listed getstrongclinic.com.au, healthfactory.com.au
      • In our example, anyone with 'getstrongclinic.com.au and healthfactory.com.au' can enter only via SSO.
  2. Once complete, save the changes in the taskbar.

Please note: Any domains not listed in the box below will be able to enter via email and password as they have in the past.


Disabling MFA

Please consider disabling MFA with extreme caution, as it protects your employees' financial and personal information.

 Warning: The only time you should disable MFA is if you are using an SSO ID provider that has MFA enabled.

To decide, please consider:

  • When you Disable MFA in foundU,
    • Anyone who uses SSO to log in to foundU will not require MFA; therefore, your SSO service must have this.
    • Anyone who logs into foundU directly (using their email and password) will still need to enter their MFA
  • When MFA remains enabled,
    • All users will continue to use MFA to log in to your foundU platform - this is best to ensure proper security

After you have considered the above precautions, if you would like to disable MFA:

  1. Navigate down to the Direct login section.
  2. Slide the toggle to YES. 
  3. Save your Unsaved changes in the taskbar.

It is now time to assign SSO email addresses to your employees' profiles so they can start using SSO.

Employee SSO emails

Once SSO is activated on your platform, you will need to specify a Single sign-on (SSO) email for all employees to use. This needs to be an email that can be utilised for single sign-on purposes only.

To assign SSO emails to your employees:

  1. Navigate to the Employee Profile > Employee Card> Details.
  2. Click the Edit pencil.
  3. In the modal, select the Contact Details tab.
  4. Enter an SSO email and Save.
    • The primary and SSO email addresses should be unique for all employees.
    • You will only see the SSO email field if SSO has been enabled on your platform.
  5. Save your changes.

  Please note: Employees cannot change their SSO emails.

Articles in this section

See more