This article assumes that you understand the basics of single sign-on (SSO). This SSO Wikipedia page may be helpful to read, but for this article it's important to understand that SSO allows authentication of a person on one site to be used to authenticate that same person on another site. This is commonly found on sites that show on their login page that people can "Login with Google". The site has a secured and trusted "partnership" with Google, such that if Google says "yes, this person is who they say they are", the site will believe them.
eSPACE has implemented a single sign-on standard called SAML 2.0 (Security Assertion Markup Language), about which you can read more on this Wikipedia page. In doing so, eSPACE can be configured to integrate with SAML 2.0 Identity Providers (IdP) who will, in turn, vouch for a user's identity, and eSPACE will believe it. For this to work, there is a little bit of setup that must take place in your eSPACE account and your IdP account. Although the SAML 2.0 standard is fairly consistent between IdPs, the setup process tends to be slightly different. In other articles listed below, we describe the steps needed to set up for a couple specific IdPs)
IdP Users vs. eSPACE Users
It's important to understand that a user account in eSPACE may be connected to a user account in your IdP, and they (hopefully) represent the same person, but they are not same account. Deleting an account in IdP will NOT delete the account in eSPACE (nor vice versa). In fact, even just suspending an account your IdP won't suspend the account in eSPACE. What this will do is keep the person from being able to log in to eSPACE via IdP. If you have configured your SSO settings in eSPACE to only allow users to log in via SSO (and not permit login via the regular eSPACE login page), this will essentially allow you to use your IdP to regulate who can get into eSPACE. Thus, if someone needs to be removed or suspended in your IdP and the user should no longer have access to eSPACE, the administrator should either log in to eSPACE and delete/deactivate their account there, or ensure their SSO settings in eSPACE are configured to require all logins to go through SSO.
"Assigning" IpD User to eSPACES
Most IdPs allow users to be managed - specifically to be granted or denied access to connected applications. Once your organization's eSPACE and IdP accounts are connected, you may need to assign your IdP users to be able to access eSPACE (in your IdP's admin console). If you've used an IdP before, this should be familiar to you. Here is a screenshot of how this looks in an IdP called Okta.
In this example, Okta users not assigned to the eSPACE application cannot get in to eSPACE via Okta authentication. However, if they have an eSPACE account already, they may bypass this by logging in to eSPACE directly, as noted in the "IdP Users vs. eSPACE Users" section above.
Accessing eSPACE Via Your IdP
There are two ways assigned users will be able to access eSPACE through your IdP. The first is from the IdP itself. As an assigned user, the eSPACE application will appear on the IdP site and they simply need to click it to be automatically logged in. This screenshot shows what this looks like in Okta.
If your organization is using Okta with other applications, this dashboard will likely have several other applications showing.
The other way users can get logged in to eSPACE is by clicking the "Log in with Single Sing On" link on the eSPACE login page. Doing so will take them to a page where they need to enter their email address. This is necessary because eSPACE needs to know with which IdP-connected organization the user is associated. Once identified, the user's browser is directed to the appropriate IdP account. If the IdP recognizes the user (which it should if the user has a persistent session with the IdP), AND the user is assigned to the eSPACE application, then the IdP will log the user into eSPACE, and they will land on their eSPACE dashboard. If the IdP does not recognize them, it will present them the IdP's login page. Once they log in there, the IdP will see if they are assigned to the eSPACE application, and log them in to eSPACE accordingly.
There actually is a third way users could access eSPACE via SSO. On the IdPs SSO Setup page, once the setup is complete, there is likely a link that users can save and bookmark. The link points to a special page on eSPACE that will log them in via SSO, but not require them to enter their email address. Admins are welcome to share this link with their team, if they wish.
If an IdP user is not assigned to eSPACE, they will not see the eSPACE application in their IdP's application, so they will not be able to simply click it to get logged in. If the user tries to access eSPACE via the Log in with SSO link or using the special link, the IdP will fly a message telling the user they do not have access to the eSPACE. However, as mentioned above, the user may still have an active account in eSPACE, and may be able to login using their email address and eSPACE password (or the Forgot Password link).
Assigning New IdP Users to eSPACE
When you assign a user (in your IdP) to the eSPACE application, it is their email address serves as the identifying information between both systems. If the user has an eSPACE account already, and their email address in both system are the same, they will be able to log in to their existing eSPACE. However, if they do not have an eSPACE account, a new eSPACE user account may be provisioned depending on this setting on the eSPACE SSO Setup page:
The first option will simply put the user at a long page telling them they don't have an eSPACE account to log into, and that they should contact their admin for further assistnace.
The second option will trigger the following chain of events.
- eSPACE creates a new account for them, essentially cloning all the settings and permissions of the model user selected below the 3rd option. Billing Contact permission will never be granted to the new user in the cloning process (but it can be manually added later). Also, the "Employee ID" field will not be cloned to the new user.
- The new account is set to "inactive"
- An email is sent to the Integration Admin (as defined on the eSPACE SSO Setup page) letting them know that a new eSPACE account has been created but needs them to enable it and set up the permissions and roles.
- The user trying to access eSPACE for the first time is notified with an on-screen message saying their account has been created, but that an eSPACE admin needs to enable it before they can log in.
The third option is similar to the second, but step 2 will be to simply log the user in immediately (and there are no steps 3 and 4).
Keep in mind, if the user already has an eSPACE account with a different email address, eSPACE will not know this is the same user, and a new eSPACE login account will be created for them (with the steps above).
NOTE: Only eSPACE Admins can get to the SSO Integration Setup page in eSPACE
If you have any questions, please feel free to create a support request to ask. We'll be happy to answer and assist.