Contents

Making sure your users only use federated single sign-on to authenticate

Katy Harrison Updated by Katy Harrison

Advanced Single Sign-on (Advanced SSO) includes a configuration option called federated only that you can set for your organisation or for individual users.

What does Federated only mean?

When the federated only option is enabled, users will be restricted to only being able to login through an SSO federation that you have set up for your organisation. That means they can't also login using a username and password provided by Advanced SSO.

Why should I enable federated only?

We recommend that organisations using federated SSO and should be set to federated only.

Using the federated only option means authentication is fully controlled within your federated identity provider. Disabling users in your federation would mean they have no way of being able to log into the application.

Not using the federated only option increases the security risk for your organisation as leaver accounts will have to be disabled in two systems to prevent access to Advanced applications. If a user has left your organisation and was only disabled in the federation, they would still be able to login to applications with Advanced SSO credentials.

Even when users are federated only, we still advise that you disable or delete the user within Advanced SSO as well as the federation when they leave your organisation.

Federated only setting for organisation

When the Federated only option is turned on for an organisation, all existing users will be updated to be federated only. Any new users created will be federated only as the default, unless manually overridden.

You can still turn this setting off for individual users from the Edit user screen or within User import.

When federated only is on, users are restricted to only being able to login through an SSO federation that you have set up for your organisation. That means they can't also login using a username and password provided by Advanced SSO.

Federated only setting for users

You can manage the federated only option in a few places:

  • For new users - when creating a new user from the Add user screen
  • For existing users - on the User details tab on the Edit user screen
  • For bulk creating or editing users - user import

When creating new users from Add user / Edit user

If federated only is enabled for your organisation, when creating new users you will notice that the Federated only option will already be turned on.

You will be able to turn this setting off. If turned off, the individual user will be able to login with either their federated account credentials or with Advanced SSO credentials. See the different login flows below.

When creating new users with the user import

When using the user import to create new users, if you leave the 'Federation login only' column in the template blank the users will be created as federated only.

You can enter N or False in that column to create the users with this setting turned off.

If you enter Y or True into the 'Requires MFA' column, the users will be created with Requires MFA turned on and Federated only turned off. This is because Requires MFA refers to multi-factor authentication provided by Advanced SSO. It is not possible for users to use Advanced SSO MFA while federated only as their authentication is provided by the federation.

Turning off federated only for individual users

We have provided functionality to disable the federated only option for individual users because you may need to provide allow a small number of users access without a federated account. For example, to give access to Advanced consultants and support staff access to your system. You can create users that can use Advanced SSO credentials even when the organisation has federated only turned on.

If you turn off federated only for users, they will be able to login using Advanced SSO credentials. As they will not have a password, they will need to select 'Forgot password' on the login page in order to set a password for their account.

Restrictions for federated only users

A few configuration settings within Advanced SSO will be restricted that relate to passwords and multi-factor authentication. These are found on the Edit user page.

Requires MFA

'Requires MFA' is a setting that enforces the use of multi-factor authentication provided by Advanced SSO.

It is not possible to turn on 'Requires MFA' for federated only users. This is because authentication is handled by the federation that the user is using to login rather than Advanced SSO. These users will not be able to progress through the Advanced SSO authentication screens. In the login flow section below, you can how the steps differ.

Passwords

When federated only is turned on for users, their Advanced SSO password will be automatically deleted. Once the password is deleted, there is no way to set an Advanced SSO password for them. This applies to both the Edit user screen and the user import.

This also means the 'Forgot password' option will not send an password reset email to federated only users.

Login flow for federated only users

The typical login steps for federated users is shown here. You can see on step 3 that the user is shown both the option for login using their SSO federation, and login using username and password provided by Advanced SSO.

Users not marked as federated only

A user that is not marked as federated only will be able to use either option to authenticate and log in.

Federated only users

Federated only users will see the same login page, but if they attempt to login using Advanced SSO username and password, they would see the standard error message that they have entered an incorrect username or password.

They will continue to see that error message because their account has been configured to only allow them to login using their federated SSO credentials, not Advanced SSO credentials.

If a federated only user clicks on “Forgot password”, they would see the standard forgot password page where they are asked to enter their email address, but they will not receive an email allowing them to change their password.

How did we do?

Federating Advanced Single Sign-On to Azure Active Directory

Contact