Introduction

With Intuiface's support for SAML 2.0, a company can enlist its own Identity Provider (IdP) to manage Intuiface user authentication, making it part of their federated identity management initiative. Intuiface will delegate authentication to the company's IdP and will not store passwords.

The benefits of using an Identify Provider:

• enforce the use of MFA (Multi-Factor Authentication)
• restrict who can create Intuiface organizations or access accounts (usually accomplished through the use of groups of authorized users)

NOTE: Only Enterprise-level Intuiface organizations can use the SSO feature.

Prerequisites

Intuiface authentication can be performed by any corporate IdP compatible with SAML 2.0 and will apply to all email addresses using the company email domain (i.e., <anyone>@<company.domain>). The following Identity Providers were successfully tested with Intuiface:

• Okta
• OneLogin
• JumpCloud
• Microsoft Entra IdD (known previously as Azure Active Directory)
• Google Workspace as a SAML provider
  • See Google's article about how to set up Google's SAML-based SSO with a third-party app like Intuiface.

NOTE:

• For Active Directory users: You must use Microsoft Entra ID. The LAN-based Active Directory does not support SAML.
• "Connect with Google" is not yet supported, nor are any Social Media IdPs like Facebook.

How it works

Logging In

See the article Logging in using Single Sign-On (SSO) for details and screenshots of the login process.

SSO authentication support:

• Composer: YES
• My Intuiface / User Community / Technical Support: YES
• Player: NO
  Alternative activation methods should be used. Only my.intuiface.com can initiate authentication; the IdP cannot activate it. 

Intuiface Profile Creation

Any successful authentication against an IdP made with an email address unknown to Intuiface will automatically create an Intuiface profile for that address. This is known as just-in-time (JIT) provisioning.

JIT provisioning typically occurs when a person has been invited to access one or more accounts in an Intuiface organization. After provisioning, the newly created Intuiface profile will automatically grant access to the accounts in the invite.

The best way to add users to your Intuiface organization

As the owner or admin of an Intuiface organization, if you would like to grant new users access to any of your accounts, proceed as follows:

• In your Identity Provider, add the new user to a group of users authorized to use Intuiface (You may need to ask your Identity Provider administrator)
• Then, invite the new user.
• The new user will receive an invitation. As soon as the new user authenticates on my.intuiface.com using SSO, this new user will have access to the specified accounts.

Configuring Intuiface to work with SAML 2.0-based federated identity management

SAML 2.0 configuration is a four-step process:

1. Open a ticket with Intuiface Support and request SAML 2.0 configuration instructions. Please indicate:
   
   • That you read the § Impact on Intuiface accounts after switching to SSO with SAML 2.0 below.
   • Your company email domain(s) you want to associate to your IdP
   • The type of IdP you plan to use
2. Intuiface Support will provide you with information for your IdP administration team to help them add Intuiface to your IdP as a recognized Service Provider (aka a "web app").
3. You / your IdP administration team must then send SAML metadata and additional specified information to Intuiface Support.
4. As soon as the configuration is setup on my.intuiface.com side by the support team, you will need to log in using Single Sign-On (SSO)

NOTE: Only nominative users (accounts for specific people) will be able to access my.intuiface.com unless your IdP administration team agrees to create "pseudo-nominative" accounts on the IdP as well. This may be impossible either due to security policy enforcement or some form of Multi-Factor Authentication enforcement on the IdP side.

Impact on Intuiface profiles after switching to SSO with SAML 2.0

After a switch to SSO via SAML 2.0:

• All current and future Intuiface profiles associated with email addresses for your company domain will be forced to use SSO. (NOTE: Your IdP administration team may want to authorize my.intuiface.com access to a group of users in the IdP as well.)
• Password reset is no longer possible. This must occur through the IdP itself.
• An Intuiface organization's owner and admins can invite users regardless of whether or not these accounts have email addresses from your company domain.

For Intuiface accounts created before SAML 2.0 adoption, after a switch to SSO via SAML 2.0:

• The regular login process will cease to work. Log-in via SSO will be required.
• The original profile (hashed) password will be deleted from Intuiface records.

Any Intuiface profile accessed via SSO will be unable, through Intuiface, to

• Change their email address
• Change their password

These changes must occur through the IdP itself.

Deactivating a provisioned Intuiface profile

Should an employee leave or change roles/responsibilities, it may be necessary to deactivate that employee's Intuiface profile so it can no longer be accessed.

This typically means removing the employee from the IdP (typically when an employee leaves your company) or disallowing the employee from using Intuiface in the IdP (when the employee changes their responsibilities). This will prevent the employee from authenticating with any Intuiface product or service.