In order to allow your learners not to have to sign in Edflex if they are already signed in your information system, discover how to set up an "automatic sign-in" (SSO).
Before we begin, some useful definitions.
- SSO (Single Sign-On): Unique authentication system that allows a user to access several applications while being authenticated to just one.
- SP (Service Provider): Service provider. Edflex, for example, provides a service.
- IDP (IDentity Provider): Trusted entity that provides identities to service providers.
- SAML (Security Assertion Markup Language): Open standard for exchanging authentications and authorizations based on an exchange of certificates.
Whether your company uses Microsoft Azure (Active Directory), ADFS, Okta or another IDP, you can set up an SSO connection with Edflex.
In addition, do not confuse the implementation of SSO, which avoid having to reconnect if you are already connected, and the link that points to your Edflex portal. Whether you have an SSO set up, somehow, you will need to offer a link for access to Edflex. This link can be displayed on one of the tools of your information system, in an email, in the default shortcuts or in the favorites of the browser managed by your company.
Simple authentication or with custom fields?
Three attributes are mandatory to set up a SSO with avec Edflex:
- Firstname
- Name
- Email
- Simple authentication: you simply want to send Edflex the following information: First name, Last name, Email (or unique identifier) something that won't change during the employee's lifecycle.
-
Authentication with custom fields: you want to add additional information such as the learner's number, the name of his department, the country where he is located, his phone number, whether or not he is a manager, his seniority... You are not limited in number or type of additional fields. The information in these additional fields will not be displayed in the profile settings on the user side, but will be available in the report export for Admin roles.
We recommend that you start by setting up the first type. Later, if the additional fields are useful and meet your needs (reporting, monitoring, business intelligence...) it will be easy to add them.
How to proceed ?
Setting up SSO involves manual intervention from Edflex and your IDP administrator.
- In order to speed up the implementation of SSO, your Edflex customer success manager needs the contact of a person within the IT department with an administrator role of the IDP (Microsoft Azure (Active Directory), ADFS, Okta or other...).
- Edflex schedules a technical workshop to set up the SSO during which the customer will provide Edflex with the Metadata XML file of the IDP. Edflex will provide the customer with a reciprocal file. During this workshop, elements such as: unique identifier, custom fields, etc. will be agreed.
- The client and Edflex test the SSO.
- SSO is working, users signed in to your information system can now access Edflex without having to authenticate.
Frequently asked questions
- What happens on Edflex if we add a user in our IDP?
If it is one of the authorized users on your IDP, it will be created on the fly when it tries to access Edflex.
- What happens on Edflex if we delete a user in our IDP?
Nothing. It will not be deleted on Edflex. However, you can delete it manually from the user management of your Edflex portal.
- What happens in our IDP if we delete a user on Edflex?
Nothing. It will not be deleted in the IDP (we do not have this level of rights). However, the next time he signs in Edflex, he will be re-created on the fly.
- What happens if a learner changes his name (on the occasion of a wedding, for example)?
If his unique identifier (email address or username or number..) does not change, no problem. If it changes, and the user tries to authenticate on Edflex, a new user will be created on the fly. To date, no reconciliation of these "two different users" data is possible.
- What happens on Edflex if one of the information on the IDP side is modified?
We update all fields (except the unique identifier) at each authentication. Whether it is the lastname, firstname or values of custom fields, each modified value overwrites the previous one.
- How long is a SAML certificate valid for?
It is variable and it is defined by the clients themselves. The minimum would be one year. We recommend between 2 and 5 years. Making a certificate obsolete too soon would again involve a technical workshop to set up SSO authentication.