Introduction

With Intuiface's support for Single Sign-On (SSO), organizations can enlist their own Identity Provider (IdP) to manage user authentication. In this case, Intuiface will delegate authentication to the IdP and will not store passwords. Further, the Identify Provider can restrict who in an organization is permitted to create and use an Intuiface account.

NOTE: Only Enterprise-level Intuiface accounts can take advantage of the SSO feature.

Prerequisites

Intuiface authentication can be performed by any corporate IdP compatible with SAML 2.0 and will apply to all email addresses using the company email domain (i.e. <anyone>@<company.domain>)

• For Active Directory users: You must use Azur Active Directory. The LAN-based Active Directory does not support SAML.
• "Connect with Google" is not yet supported, nor are any Social Media IdPs like Facebook.

How it works

Logging In

See the article about logging in using SSO for details and screenshots of the login process.

SSO authentication support:

• Composer: YES
• My Intuiface / User Community / Technical Support: YES
• Player: NO
  Alternative activation methods should be used.

Intuiface Account Creation

Any successful authentication against an IdP made with an email address unknown to Intuiface will result in the automatic creation of an Intuiface account for that address. This is known as just-in-time (JIT) provisioning.

All newly created accounts will be set to primary account status and at the Free tier level. Like any other primary account, these accounts can be migrated at any time to Secondary Account status as needed.

Configuring Intuiface to work with an IdP

SSO configuration is a four-step process:

1. Open a ticket with Intuiface Support and request IdP configuration instructions.
2. Intuiface Support will provide you with information for use by your IdP administration team to add Intuiface to your IdP as a recognized Service Provider (aka a "web app").
3. You / your IdP administration team must then send SAML metadata and additional specified information to Intuiface Support.
4. During a video call (to permit screen sharing), Intuiface Support and your IdP administration team will test the integration. If successful, SSO will be enabled and will be active for all users within your company.

Impact on Intuiface accounts after switching to Single Sign-On

For Intuiface accounts created before SSO adoption, after a switch to Single Sign-On:

• The regular login process will cease to work. Log in via SSO will be required.
• The original account password will be deleted from Intuiface records.
• Password reset must be performed via the IdP.

Any Intuiface account accessed via SSO will be unable, through Intuiface, to

• Change their email address
• Change their password

These changes must occur through the IdP itself.

Deactivating a provisioned Intuiface account

Should an employee leave or change roles/responsibilities, it may be necessary to deactivate that employee's Intuiface account so it can no longer be accessed.

Either or both of the following two steps may be necessary:

1. Removing the employee from the IdP (typically when an employee leaves your company) or disallowing the employee from using Intuiface in the IdP (when the employee changes their responsibilities). This will prevent the employee from authenticating with any Intuiface product or service.
2. Releasing or transferring licenses, experiences, credential keys, and datapoints owned by the employee. To do this, please contact Intuiface Technical Support.