What is Single Sign-On?
Single Sign-On (SSO) allows you to use your own organization's enterprise user account system in place of the default Data & Insights authentication and account system. This can be used for provisioning accounts instead of creating Data & Insights user accounts from the Admin Users page, although user roles and permissions must still be assigned on the Data & Insights platform.
If you are interested in enabling Single Sign-On for your domain, please first contact your Customer Success Manager or Account Manager (or Project Manager if you are currently in an active project). After that, the next steps will be to email Support the information outlined in Setting Up Single Sign-On (with the Subject line: Single Sign-On setup) to initiate setup.
NOTE: All connection types are implemented on an email domain basis, so any user attempting to log in to any Data & Insights site will be forced to use SSO if their email domain has been set up for SSO.
For example, if we have SSO implemented for all users with a *@cityofevergreen.gov email address, then anytime a user with a *@cityofevergreen.gov email address logs in to any Data & Insights domain (for example, the City of Chicago domain), they will go through the SSO workflow.
SSO Integrations Types and User Experiences
Data & Insights supports Single Sign-On with ADFS (Active Directory Federation Service) and custom SAML 2.0 integrations. The type of integration used for SSO will vary based on the identity provider (IdP) used by your agency.
There are two primary user experiences/flows that are possible when SSO is enabled for your organization’s email domain(s). The second flow is only available for organizations using a SAML identity provider that supports the workflow.
Option 1: Standard Workflow (Service provider-initiated flow)
This is a typical and standard SSO workflow in enterprise systems. With this integration, users initiate the SSO workflow through the traditional login screen on your Data & Insights domain.
As soon as the user types in their email address, the password box will disappear and will be replaced with text that says “SSO Enabled.” If the user is logged in to the identity provider in the same browser session, they will be taken directly through to their profile page:
If the user is not logged in, they will be redirected to the identity provider login page and asked to authenticate before they can access the Data & Insights domain.
Option 2: Launch from your dashboard (Identity provider-initiated flow)
This integration provides the same user experience if a user navigates directly to the Data & Insights domain in their browser, but with an additional way to access the Data & Insights domain from a direct link within their identity provider user interface.
With IdP-initiated SSO, users initiate the SSO workflow through an application menu screen on the identity provider site. A sample identity provider menu might look like this:
Clicking on one of the applications then launches a separate tab or window, where the user is automatically logged in to the application using SSO authentication: