This article describes how to use Single Sign-On Applications (SSO Apps) with UID.
Currently, this feature is only supported in the Pro, Business, and Enterprise plans. Pro and Business plans won’t have some of the Bamboo HR related advanced features such as the option of allowing Bamboo HR to update the profile of UID users.
SSO (Single Sign-On) enables users to sign on to multiple applications using a single set of authentication credentials.
SSO Apps are configured connections between UID and external applications. Administrators can assign SSO apps to groups or individual users in UID, allowing end users to sign in to their UID account and access selected external applications without having to enter individual credentials for each application. Users can see the applications appear in their User Portal, and directly sign into those applications via the User Portal.
Some applications also support provisioning; UID uses the Security Cross-domain Identity Management (SCIM) protocol for user provisioning.
Supported Single Sign-On Protocols for UID:
Note: Not all user roles will be able to view, configure, and assign/unassign users to SSO Apps on UID. Please see here for the full list of users roles and their SSO App permissions.
Add Existing Apps
UID offers many applications that you can directly integrate:
1. Go to the UID Manager Portal and click SSO Apps > Add App and you will see all the applications that have been preconfigured.
2. Select the application you want to add and click Add. You can filter the applications by selecting options under the CAPABILITIES list on the left to see which applications support both SAML and Provisioning.
3. Fill in the following information for the app selected (Slack is shown below as an example):
- App name: You can choose to modify the name of this App.
- Domain/Subdomain: Enter the domain name you set up on the chosen application platform, only the part before the application’s own domain is needed. For example, if you need to set up Slack and your Slack’s domain is “ui.slack.com”, then “ui” needs to be filled into the domain section.
- App visibility: If “Do not display application icon to users” is checked, users who are assigned the application will not have the app shown in the APPLICATION section of their User Portal.
4. Click Next, then configure SAML 2.0 RelayState as per your application’s request. Click Done.
Note: SSO Apps is currently in early-stage development. If you would like to see other applications, you can click Request new app at the bottom left corner to submit a request.
Create Custom Apps
If you want to add an app that doesn't yet exist in the application list:
1. Click Create New App in UID Manager Portal > SSO APPS to add it and connect UID with your SAML or OpenID Connect applications.
2. After selecting the sign on method, click Next and fill in the required information. Then click Next to continue.
3. Fill in the Single Sign-On URL, Audience URI (usually SP Entity ID), Default RelayState and other information you might need to customize for the SSO app you want to create. Then click Create.
4. You will now see the application you added in the App list.
On this tab, you can check the usage history for a specific SSO Application, including things like app usage trends, recent logins and the user with the most sign-ins in the last seven days.
Here, you can view and modify the application settings:
- Application Label: The name of the application
- Domain: Your domain name
- App logo (optional): The logo of the application
- Application visibility: Once ticked, even if you assign this application to users, they will not see it in the Application list in the User Portal
- Expenses (optional): You can input expense related information under this section
- Plan Name: Put a name for this plan
- Billing Contacts: Fill in the billing contact information
- Pricing: Set the pricing information here, unit is Price/Seat/Month
- Attribute Statements (optional): You can add other attribute statements to the application
Here, you can see the Sign On settings and set a Sign On Policy for this specific application.
To add or view policies for applications, go to UID Manager Portal > Security > App Sign-On Policy. You can also click the Manage App Sign On Policy link in the Sign On page of the application as shown above.
In the Provisioning tab, you can enable API integration.
Once you authenticate the application, you will be able to customize your integration with the application.
- Create Users: Enabled by default. The users you assign to this application will create an account directly in this application without SSO. Their email and username is the same as the one stored in UID.
- Update User Attributes: Disabled by default, UID updates a user’s attribute in the application when the app is assigned. Future attribute changes made to the UID user profile will be automatically updated to the application.
- Deactivate Users: Enabled by default. When a user is unassigned in UID or their UID account is deactivated, their account in the application will also be deactivated. If you disable this option, the user’s account will be retained on the application platform even if their UID account is deactivated.
Click Assign to assign the Users or Groups you want to authorize. You can see the users or groups that have already been assigned on this page. You can also edit the user's attribute by clicking the edit icon, or unassign the user by clicking the delete icon.
Note: If the user is in a group and is assigned to the application by the group, you cannot unassign the user individually from the application. You can only delete the whole group you don’t want that user to have access to.
Assign from CSV
To bulk upload multiple users to UID:
1. Click Assign from CSV, then drag and drop your CSV file here or click upload to choose the CSV file. Click Next once the upload is complete.
2. Select the users you want to assign. If the users have already been assigned to the application, you will not be able to select them again.
Below is an example screenshot from the user’s perspective when they log into the workspace using their UID. You can see that the administrator has assigned Slack to her account.