Single Sign On (SSO)
Single Sign On (SSO) is a service permitting the use of one set of login credentials (username and password) to access multiple applications.
SSO is an add-on to EngagementHQ and is not included in any standard license. If you like to enquire more or buy the add-on, please emails us at firstname.lastname@example.org.
Why use SSO in EHQ?
Single Sign On can dramatically improve your admin and participants’ user experience. With SSO you don’t have to register a new account and remember a new username and password. Instead you can simply log into EHQ with the same credentials you use to log into your existing systems.
How does it look?
With SSO enabled your EHQ login screen will have a new button that allows your staff to login with their organisation’s details. Depending on the role you have given them they will then either have access as an administrator or a participant.
The wording and colour of this ‘Council Staff Sign In’ button can be customised.
The Login Flow
There are two slightly different flows when you log in via SSO.
Assume you are not logged into your work network yet. Clicking on Council Staff Sign In will direct you back to your work network portal. Enter your username and password there and after logging in you will get redirected back to EHQ where you are logged in.
Assume you are logged into your work network already. Clicking on Council Staff Sign In, will be direct you back to your work network and straight away back to EHQ where you are logged in. There is still a redirect back to you work network as the authorization still has to occur but you are not prompted to enter a username/password again nor is the re-direct visible to you.
After logging in with SSO, you have the same rights as before. That means accounts who have participants rights will be logged in as participants. Admins will be logged in as admins.
In your PRM you can see those participants that have logged in via SSO and use our filtering mechanisms to create and manage groups. Participants having logged in via SSO are no different to other participants in technical terms. It is just their method of login that changes.
The Technical Detail
Currently, we offer SSO for any Identity Provider (IdP) that supports SAML (Security Assertion Markup Language). SAML-based SSO services involve communications between the user, an Identity Provider (IdP) that maintains a user directory and EHQ. When a user attempts to access EHQ we* will send a request to the IdP for authentication. EHQ will then verify the authentication and log the user in as an admin or participant, depending on their roles.
Examples of IdPs we have worked with are:
- Microsoft Active Directory Federation Services
As an administrator logging in via SSO you will not be able to delete any projects. This is because as a security mechanism we require anyone who wants to delete a project to enter their eHQ password. Since SSO administrator do not have a eHQ password, you cannot proceed. Our support team can do this for you however, simply ask us via chat and we do it for you in no time.
*We use a service called Auth0 to facilitate the authentication on our behalf. Auth0 is one of THE leading services for identity authentication.