Introduction

With Intuiface's support for Single Sign-On (SSO), organizations can enlist their own Identity Provider (IdP) to manage user authentication. In this case, Intuiface will delegate authentication to the IdP and will not store passwords. Further, the Identify Provider can restrict who in an organization is permitted to create and use an Intuiface account.

NOTE: Only Enterprise-level Intuiface accounts can take advantage of the SSO feature.

Prerequisites

Intuiface authentication can be performed by any corporate IdP compatible with SAML 2.0 and will apply to all email addresses using the company email domain (i.e. <anyone>@<company.domain>). The following Identity Providers were successfully tested with Intuiface:

• Okta
• OneLogin
• JumpCloud
• Azure Active Directory

NB:

• For Active Directory users: You must use Azure Active Directory. The LAN-based Active Directory does not support SAML.
• "Connect with Google" is not yet supported, nor are any Social Media IdPs like Facebook.

How it works

Logging In

See the article about logging in using SSO for details and screenshots of the login process.

SSO authentication support:

• Composer: YES
• My Intuiface / User Community / Technical Support: YES
• Player: NO
  Alternative activation methods should be used.
• Authentication can only be initiated by my.intuiface.com. It cannot be initiated by the IdP. 

Intuiface Account Creation

Any successful authentication against an IdP made with an email address unknown to Intuiface will result in the automatic creation of an Intuiface account for that address. This is known as just-in-time (JIT) provisioning.

All newly created accounts will be set to primary account status. If desired, these accounts can be migrated at any time to secondary account status as needed.

Configuring Intuiface to work with an IdP

SSO configuration is a four-step process:

1. Open a ticket with Intuiface Support and request IdP configuration instructions.
2. Intuiface Support will provide you with information for use by your IdP administration team to add Intuiface to your IdP as a recognized Service Provider (aka a "web app").
3. You / your IdP administration team must then send SAML metadata and additional specified information to Intuiface Support.
4. During a video call (to permit screen sharing), Intuiface Support and your IdP administration team will test the integration. If successful, SSO will be enabled and will be active for all users within your company.

NOTE: Only nominative users (accounts for specific people) will be able to access my.intuiface.com, unless your IdP administration team agrees to create "pseudo-nominative" accounts on the IdP as well. This may be impossible either due to security policy enforcement or if some form of Multi Factor Authentication is enforced on the IdP side.

Impact on Intuiface accounts after switching to Single Sign-On

After a switch to Single Sign-On:

• All current and future Intuiface accounts associated with email addresses for your company domain will be forced to use SSO (NOTE: Your IdP administration team will likely need to authorize my.intuiface.com access to a group of users in the IdP as well.)
• One nominative user will become a PA (primary account) in my.intuiface.com. This user will typically be the Intuiface account in possession of all your licenses.
• This PA will be able to invite other Intuiface accounts to become secondary accounts (SA), whether these accounts have email addresses from your company domain or not. (If they are not a company account, they may not be using SSO.)
• This PA will be able to allow specific SAs to use Composer licenses. These licenses can be checked in and checked out by the PA and these specific SAs. This PA can also temporarily loan a Composer license to a SA, in which case the license will be assigned to the SA and cannot be used by anyone else.
• This PA will be able to temporarily loan Player licenses to SAs. These SAs, by using the Player Activation feature of my.intuiface.com, will be able to activate shared Player licenses on their devices. These SAs will also have access to the Share & Deploy Console where they can manage their Players.

For Intuiface accounts created before SSO adoption, after a switch to Single Sign-On:

• The regular login process will cease to work. Log in via SSO will be required.
• The original account password will be deleted from Intuiface records.
• Password reset must be performed via the IdP.

Any Intuiface account accessed via SSO will be unable, through Intuiface, to

• Change their email address
• Change their password

These changes must occur through the IdP itself.

Deactivating a provisioned Intuiface account

Should an employee leave or change roles/responsibilities, it may be necessary to deactivate that employee's Intuiface account so it can no longer be accessed.

Either or both of the following two steps may be necessary:

1. Removing the employee from the IdP (typically when an employee leaves your company) or disallowing the employee from using Intuiface in the IdP (when the employee changes their responsibilities). This will prevent the employee from authenticating with any Intuiface product or service.
2. Releasing or transferring licenses, experiences, credential keys, and data points owned by the employee. To do this, please contact Intuiface Technical Support.