Introduction
Single Sign-On (SSO) provides a seamless login experience by allowing users to access multiple services with a single set of credentials. However, in scenarios such as MSPs undergoing mergers and acquisitions (M&As) or those utilizing third-party helpdesk services, there may be a need to balance security and convenience without fully adding the names and emails of the augmented staff into your current SSO directory.
In this situation, you would want control to enforce SSO for certain technicians or to disable the enforcement with an SSO exemption.
This feature is crucial for MSPs that need to provide access to their systems for individuals who do not directly work for the MSP or the company, such as temporary staff or third-party consultants. The Enforce SSO / SSO exemption feature allows administrators to enforce or exempt specific users from SSO requirements, enabling them to log in with a username and password even when SSO is enabled.
Scope
This feature is particularly useful for administrators who need to ensure certain technicians can access the platform without SSO, often for troubleshooting or when external SSO services are down.
Disabled SSO Enforced (SSO Exempt) technicians are allowed to login using the "Continue With Password" button on the sign in page of the admin panel.
Requirements
- Primary or Super role technician access to your CyberQP tenant
- Ensure that the "Enable SAML SSO" toggle is enabled and that the SSO Configuration has been completed:
https://support.getquickpass.com/hc/en-us/articles/4419178721559-Setting-up-Dashboard-Logins-for-SSO-SAML
How to disable Enforced SSO for a Technician (SSO Exemption)
-
Individual Technician Changes
-
Editing an Existing Technician
- Log into CyberQP
- Click on "Login Management" from the sidebar.
- Select "Technician Users".
- Click the three dot menu for the target technician > Edit User Permission
- Turn off the slider for "Enforce SSO"
- Save your Changes.
-
Creating a New Technician
- Click on "+New Technician".
- Fill in the necessary information such as First Name, Last Name, and Work Email.
- Set the role level and technician groups (if needed)
- Under "Authentication options", Turn off the slider for "Enforce SSO"
- Click "Save" to create the technician with an SSO exemption.
-
-
Bulk Technician Changes
- Click on "Login Management" from the sidebar.
- Select "Technician Users".
- Select the target technicians you want to enforce SSO or exempt from SSO using the bulk selection checkboxes (you may also use the search filter to pre-filter technicians)
- Click one of the now activated bulk options:
- Enforce SSO (Selected technicians will be required to use SSO.)
NOTE: Enforcing SSO for Super Roles is now permitted (force Super Role to use SSO). Enforcing SSO for all Super role Technicians enhances security but could limit Dashboard access if your SSO provider experiences an outage. To avoid potential disruptions, consider keeping at least one Super role technician exempt from SSO to ensure access for managing SSO settings if needed.
- Disable SSO Enforcement - (Selected technicians will be permitted to use SSO and our standard enforced MFA authentication method.)
- Enforce SSO (Selected technicians will be required to use SSO.)
- A Confirmation modal will appear. Confirm your changes
Viewing the SSO Exemptions with a List
-
"Enforce SSO" Column Overview:
- When SSO is enabled at the tenant level (Ensure that the "Enable SAML SSO" toggle is enabled on the "Authentication Options" table)
- Navigate to the "Technician Users" section as described above.
- Click the "Column hider" button > Click toggle on "Enforce SSO"
- The column "Enforce SSO" indicates whether SSO is enabled or disabled for each technician.
- You can also use the "Enforce SSO" filter at the top to filter your technician users list to surface who is enforced or exempt.
Please note that we wont show the Primary Technician when you select "No"
Conclusion
Managing SSO exemptions is a critical task that helps maintain flexibility and security within CyberQP. By following the steps outlined in this guide, administrators can effectively control access to the platform, ensuring that all users have the appropriate level of security for their login process.
Commonly Asked Questions
Can I turn off the SSO Enforcement for the Primary User?
No, you cannot SSO exempt the primary user, as this is a feature that provides you with a minimal backup account to log into CyberQP in case your SSO is down or misconfigured. (At least 1 backup)
However, the decision to SSO exempt a new or existing super user is now in your hands. Previously in the past we make the decision for you to allow all supers to be SSO exempt. You can now change this with the creation of the "Enforce SSO" toggle.
How does an SSO exempt user set their CyberQP Password and MFA?
At this time, we send out a welcome email to all new technicians. The CyberQP password and MFA is set via this welcome email.
If you have an existing technician that you decided to change from Enforced SSO to SSO Exempt, they can click the "Forget password?" button on our sign in page (after using the "Continue with Password" button) to an email to set up the classic CyberQP authentication with Password and MFA.
Email to activate a Login (Technician) when SSO Enforcement changed.
An email will automatically be generated for a Technician to sign in WITHOUT SSO in the following cases:
- Super Role - by default this Role can login with EITHER SSO or Username/Password/MFA. Any Technician created with this role will be sent the email to setup their account.
- Manager, Engineer, Helpdesk Role
- At time of creation
- SSO Exempt (not required to use SSO) the activation email will be sent.
- SSO Enforced (MUST use SSO) the activation email will NOT be sent.
- Change of SSO Enforcement
-
If CURRENTLY Exempt (not required to sign in with SSO) → Changed to SSO Enforced (required to sign in with SSO)- no Activation email is sent
-
If CURRENTLY SSO Enforced → Changed to Disable SSO Enforcement - Activation email should be generated ONLY if both of these 2 conditions are
-
Status is “Verification Required”
-
Enable SAML SSO toggle is off on Authentication Options page
-
-
- At time of creation
Comments
0 comments
Article is closed for comments.