07-15-2024 08:46 AM
Is there any update to the roadmap for Identity Provider to implement non-interactive logins using SAML authentication? For example, launching Web or Unity client from an Okta/Azure/OneLogin portal and the user not needing to type in a password again vs the way the clients redirect for authentication and force a login screen?
07-15-2024 08:56 AM
Hello
The Hyland Identity Provider (IdP) is service provider (SP) initiated meaning it is redirecting to the third-party SAML provider for authentication. In this scenario, the onus is on the SAML provider to handle single sign on (SSO) functionality.
Entra (formerly Azure), for example, refers to this as Seamless SSO. You'll need to reference documentation from the respective SAML provider for steps on setting up SSO as the Hyland IdP does not handle this portion of authentication.
07-16-2024 03:25 AM
Hello Jimmy,
Sorry to interject, but does the same apply to a ADFS provider?
We encounter a similar issue where ADFS login is prompted even if the user is already authenticated in the browser with ADFS and we are trying to figure out where to start to have this work seamlessly.
Thank you,
Stefan
07-16-2024 07:06 AM
Hi
Yes, this works with AD FS. This will depend on your solution, however since the authenticating user may or may not be joined to the domain. AD FS relies on Windows Authentication for a non-interactive authentication experience (though there may be other ways of doing it too). This is only possible when the user is logged into the same domain as the AD FS server. In the scenario where a user is not logged into the domain, Forms Authentication is used through the AD FS Proxy and seamless authentication would not be possible.
The prompt that the users are encountering could vary; Windows Authentication prompt vs. a Forms Authentication prompt. Windows Authentication prompt occurs when Windows Authentication fails and requires a user to enter their domain credentials whereas Forms Authentication is a web page that prompts the user for authentication.
Best wishes.
07-16-2024 03:29 PM
Just to be clear, I'm talking about the option for Identity Provider Initiated so that the users can launch Unity/Web from their portals. We were told early on (and maybe Single Sign On wasn't possible back then in this context) that using IdP would force them to enter credentials because of the redirect to the SAML provider and service provider initiation.
In a nutshell, you're saying that even with the current IdP, if the SAML provider supports it, they can technically have a seamless "autologin" or non-interactive login experience even though IdP is Service Provider Initiated?
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.