Introduction

With Intuiface's support for SAML 2.0, an organization can enlist its own Identity Provider (IdP) to manage Intuiface user authentication, making it part of any company's federated identity management initiative. Intuiface will delegate authentication to the organization's IdP and will not store passwords. Further, the organization can use its Identify Provider to restrict who can create and use an Intuiface account: this is usually done through the use of groups of authorized users.

NOTE: Only Enterprise-level Intuiface accounts can use the SSO feature.

Prerequisites

Intuiface authentication can be performed by any corporate IdP compatible with SAML 2.0 and will apply to all email addresses using the company email domain (i.e., <anyone>@<company.domain>). The following Identity Providers were successfully tested with Intuiface:

• Okta
• OneLogin
• JumpCloud
• Azure Active Directory

NOTE:

• For Active Directory users: You must use Azure Active Directory. The LAN-based Active Directory does not support SAML.
• "Connect with Google" is not yet supported, nor are any Social Media IdPs like Facebook.

How it works

Logging In

See the article Logging in using Single Sign-On (SSO) for details and screenshots of the login process.

SSO authentication support:

• Composer: YES
• My Intuiface / User Community / Technical Support: YES
• Player: NO
  Alternative activation methods should be used. Only my.intuiface.com can initiate authentication; the IdP cannot activate it. 

Intuiface Account Creation

Any successful authentication against an IdP made with an email address unknown to Intuiface will automatically create an Intuiface account for that address. This is known as just-in-time (JIT) provisioning.

All newly created accounts will be set to primary account status. These accounts can be migrated to secondary account status as needed.

The best way to add Seconday accounts

As a Primary Account user, if you want to add Secondary Account you should proceed the following way:

• In your Identity Provider add the new user in a group of users authorized to use Intuiface (You may need to ask your Identity Provider administrator)
• Then invite the new user as described in § Steps for creating a secondary 
• The new user will receive an invitation. As soon as the new user authenticates on my.intuiface.com with SSO, a Secondary Account will be created for this new user.

Configuring Intuiface to work with SAML 2.0-based federated identity management

SAML 2.0 configuration is a four-step process:

1. Open a ticket with Intuiface Support and request SAML 2.0 configuration instructions.
2. Intuiface Support will provide you with information for your IdP administration team to help them add Intuiface to your IdP as a recognized Service Provider (aka a "web app").
3. You / your IdP administration team must then send SAML metadata and additional specified information to Intuiface Support.
4. During a video call (to permit screen sharing), Intuiface Support and your IdP administration team will test the integration. If successful, SAML 2.0 will be enabled and will be active for all users within your company.

NOTE: Only nominative users (accounts for specific people) will be able to access my.intuiface.com unless your IdP administration team agrees to create "pseudo-nominative" accounts on the IdP as well. This may be impossible either due to security policy enforcement or some form of Multi-Factor Authentication enforcement on the IdP side.

Impact on Intuiface accounts after switching to SSO with SAML 2.0

After a switch to SSO via SAML 2.0:

• All current and future Intuiface accounts associated with email addresses for your company domain will be forced to use SSO. (NOTE: Your IdP administration team may want to authorize my.intuiface.com access to a group of users in the IdP as well.)
• Password reset is no longer possible. This must occur through the IdP itself.
• One nominative user will be assigned PA (primary account) status on my.intuiface.com. This user will typically be the Intuiface account with all your licenses.
• This PA can invite other Intuiface accounts to become secondary accounts (SA), whether these accounts have email addresses from your company domain or not.
• This PA will be able to allow specific SAs to use Composer licenses. These licenses can be checked in and checked out by the PA and these specific SAs. This PA can also temporarily loan a Composer license to a SA, in which case the license will be assigned to the SA and cannot be used by anyone else.
• This PA will be able to loan Player licenses to SAs. These SAs, by using the Player activation feature of my.intuiface.com, will be able to activate shared Player licenses on their devices. These SAs will also have access to the Share & Deploy Console, where they can manage their Players.

For Intuiface accounts created before SAML 2.0 adoption, after a switch to SSO via SAML 2.0:

• The regular login process will cease to work. Log-in via SSO will be required.
• The original account password will be deleted from Intuiface records.

Any Intuiface account accessed via SSO will be unable, through Intuiface, to

• Change their email address
• Change their password

These changes must occur through the IdP itself.

Deactivating a provisioned Intuiface account

Should an employee leave or change roles/responsibilities, it may be necessary to deactivate that employee's Intuiface account so it can no longer be accessed.

Either or both of the following two steps may be necessary:

1. Removing the employee from the IdP (typically when an employee leaves your company) or disallowing the employee from using Intuiface in the IdP (when the employee changes their responsibilities). This will prevent the employee from authenticating with any Intuiface product or service.
2. Releasing or transferring licenses, experiences, credential keys, and data points owned by the employee. To do this, please contact Intuiface Technical Support.