- 1. Is it possible to use SSO with two different Identity Providers (IDPs)? (For customers with multiple domains managed by different IDPs.)
- 2. What default role will be given to a user if no role is specified using the forcedPermission attribute
- 3. What happens to an account's System Administrator user when SSO is implemented?
- 4. What happens to a collaborator when SSO is implemented? Can a collaborator still be added to my account?
- 5. Can I change settings of an existing SSO Self-Serve Implementation?
- 6. What if I need to change my IDP provider?
- 7. What SSO user data is stored in NCM?
- 8. Do NCM users need to have a new role assigned after setting up SSO?
1. | Is it possible to use SSO with two different Identity Providers (IDPs)? (For customers with multiple domains managed by different IDPs.) |
Yes, you can use SSO with two different Identity Providers (IdPs) at the same time (for example when different customer domains are managed by different IdPs). If the same person’s account uses the same unique identifier (email/name) in both IdPs, both logins map to the same NetCloud Manager (NCM) user account. The user can sign in through either IdP and end up at the same NCM user. If the same person has different email addresses (i.e., different IdP accounts in different domains), those are treated as two distinct NCM users, because NCM treats each email as a separate user identity. Important caveat about permissions: “Forced permissions” applied by an IdP are applied at login. If the forced-permissions settings differ between the two IdPs for that same user identifier, the user’s permissions in NCM will change depending on which IdP they used to sign in. If both IdPs enforce the same forced permissions, the user’s experience is identical regardless of which IdP they use. | |
2. | What default role will be given to a user if no role is specified using the forcedPermission attribute |
"No access" is the default role that is used when the role is not provided. See Forced Permission Examples formore information. | |
3. | What happens to an account's System Administrator user when SSO is implemented? |
The System Administrator remains unchanged. The System Administrator will SSO into NetCloud just like every other user and will retain the highest-level administrator privileges to the NCM account. | |
4. | What happens to a collaborator when SSO is implemented? Can a collaborator still be added to my account? |
Collaborators remain unchanged. Collaborators can still access an NCM account that uses SSO even if that collaborator originates from an NCM account that does not use SSO. | |
5. | Can I change settings of an existing SSO Self-Serve Implementation? |
Yes, all settings can be changed by selecting the pencil icon next to the Identity Provider in the Account > SAML Single Sign-On tab. | |
6. | What if I need to change my IDP provider? |
Another IDP can be added to NCM. An administrator from the current/active IDP will need to have a user with the same email in the second IDP to complete the migration. | |
7. | What SSO user data is stored in NCM? |
The required attributes for an SSO user are stored in NCM: First Name, Last Name, and Email Address. NCM does not store user secrets/passwords that were used prior to SSO migration. | |
8. | Do NCM users need to have a new role assigned after setting up SSO? |
New users need a role assigned. However, the optional forcedPermission attribute can be used to assign a role automatically. Existing NCM users will retain the same role they had prior to setting up SSO. Any new users created after setting up SSO will need to have a role assigned. This can be doing by using the forcedPermission attribute, or it can be done manually. |