Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            SSO Configuration and Conversion Process

            Modified on Tue, Dec 19, 2023 at 6:12 PM

            OVERVIEW


            This document describes the process in which DigTix provides access to users based on an SSO identity provider (such as Microsoft Active Directory), how that access can be configured by DigTix administrator users, and the process for converting existing users from the default password digest authentication method into an SSO authenticated user.



            BEFORE SSO INTEGRATION


            SSO integration with DigTix requires two pieces of information to be sent from the identity provider to DigTix:

            1. A unique identifier for the user. It is *highly* recommended that this is the user's email address. This will be referred to as the "SSO User Key" going forward.
            2. A piece of information which will be used to determine the default permissions / access the user has within DigTix, such as a title ("Field Supervisor 2") or group name ("app.digtix.fieldsupervisor"). This will be referred to as the "SSO Permission Key" going forward.


            In addition to these two required fields, several optional pieces of information may be provided:

            1. The first name of the user.
            2. The last name of the user.
            3. The email address of the user (if it is not already being sent as the SSO User Key).
            4. The phone number of the user.
            5. A unique identifier for the manager of the user, such as the user's manager's email address.


            Once these fields are determined, DigTix personnel will work with the appropriate IT personnel to configure the mapping of this data between the identity provider and the DigTix SSO system. After the mapping of SSO data is completed, users may begin logging into DigTix via SSO. When a user logs into DigTix via SSO, there are three scenarios:


            Scenario 1: Brand New User


            If the user has never accessed DigTix before, a new user account is created using the information that was mapped and sent from the identity provider to DigTix. Permissions and configuration are determined based on the user's SSO Permission Key and the configuration of the "SSO Permissions" section of the DigTix administration page. See below for more information on the "SSO Permissions" section.



            Scenario 2: Existing User's First SSO Login


            If the user has accessed DigTix before using password digest authentication, the user is automatically put through a process that converts the user into an SSO-enabled account. This conversion process is explained in more detail below.



            Scenario 3: Existing User's Subsequent SSO Login


            If a user who has logged into DigTix via SSO logs into DigTix again via SSO, they are granted access, provided that their SSO Permission Key is still configured in the "SSO Permissions" section of the DigTix administration page. See below for more information on the "SSO Permissions" section.




            SSO PERMISSIONS DEFAULT CONFIGURATION


            An SSO Permission is a directive on how to treat each of the SSO Permission Keys that could be sent by the identity provider. In the case of Microsoft's Active Directory system, users may be set up to belong to an AD group which then maps to an SSO Permission record within DigTix. 


            Taking the configuration shown in Figure 1 as an example, we will assume a user belonging to the AD group "app.digtix.fieldlocator" logs into DigTix for the first time. The user's DigTix profile will be set up with the settings specified in the "app.digtix.fieldlocator" entry. More specifically:


            User Type = Strict View

            Manager = manager1

            Is Field User = true

            Is Hourly = true

            Team = Field Locators
            Permission Group(s) = Utility Locator




            Figure 1: SSO Permissions List





            Figure 2: SSO Permission Entry (Default Values)



            If the user account already exists within DigTix, their configured profile will not change. The settings listed under the SSO Permissions entries are only defaults for new users accessing DigTix for the first time.


            If our example user should be revoked access to DigTix through SSO, the "app.digtix.fieldlocator" group should be removed from their account in Active Directory. Alternatively, you can remove access from the entire AD group by deleting the corresponding SSO Permission entry within DigTix.



            SSO USER ACCOUNT CONVERSION


            More information here soon!




            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0