Single Sign-on is a useful feature to increase security and user adoption of new tools. It means that your employees can auto-login to connected applications using their default company password, which is for instance stored in your LDAP or Active Directory system. While Small Improvements doesn’t integrate with LDAP or AD directly, it does provide SAML integration, which can be used with a variety of services
For this to work you will need a Small Improvements subdomain. Just let us know by contacting our team and we’ll have it up and running.
Below is a list of supported vendors:
- Google Apps: we offer an official integration with Google Apps
- OneLogin: We provide our own detailed setup guide for OneLogin.
- Microsoft Azure: We’re listed in Azure AD’s application gallery. Please refer to their setup tutorial.
- CA: We’ve been certified to integrate with CA Siteminder. You can find more details and a CA runbook on their website.
- Okta: We’re listed as a certified Okta application in the Okta directory. Learn more on our Okta setup guide.
- Centrify: We have an official SAML integration with Centrify too. Learn more on our Centrify setup guide.
- Ping Identity: We officially integrate with Ping Identity. Read the Ping Identity setup guide.
- Simple Saml PHP: A customer of ours provided details on how to set up SimpleSamlPHP with SI.
Our SAML configuration screen can be found by navigating to your Administration tab > Scrolling to the bottom of the screen where the integrations are located > Clicking into the button that says “SAML SSO”.
It contains some 5 configuration fields that are somewhat technical to look at, but this makes them flexible enough to support a wide range of 3rd party solutions. You can roll out your own integration, or make use of our own or vendor-provided documentation.
Certificate Example and Requirements
To ensure the correct setup, please make sure to review our certificate guidelines.
1. The following markers must be present `—–BEGIN CERTIFICATE—–` and `—–END CERTIFICATE—–`.
2. The markers are on separate lines
-----BEGIN CERTIFICATE----- <br> MIICojCCAgugAwIBAgIBADANBgkqhkiG9w0BAQ0FADBuMQswCQYDVQQGEwJ1czEW <br> MBQGA1UECAwNU2FuIEZyYW5jaXNjbzEbMBkGA1UECgwSU21hbGwgSW1wcm92ZW1l <br> bnRzMSowKAYDVQQDDCFleGFtcGxlMTIzLnNtYWxsLWltcHJvdmVtZW50cy5jb20w <br> HhcNMTcxMjA1MTcyODU3WhcNMTgxMjA1MTcyODU3WjBuMQswCQYDVQQGEwJ1czEW <br> MBQGA1UECAwNU2FuIEZyYW5jaXNjbzEbMBkGA1UECgwSU21hbGwgSW1wcm92ZW1l <br> bnRzMSowKAYDVQQDDCFleGFtcGxlMTIzLnNtYWxsLWltcHJvdmVtZW50cy5jb20w <br> gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMIcGGRD+LL21xZplZ5NB1XEXPth <br> CEszKjSAWLwnhvFXuSBubky8yccM6PMMrucAGruwFXD6zprpBqDf68nnvJHl0/bb <br> HjDwDJN/PZIYJZ71xU38qP+suVCdVi+qaDf3la4S22eTPGflUxCAKw4mVZgwRLjL <br> WO9v9LxkYF3MhkkjAgMBAAGjUDBOMB0GA1UdDgQWBBQKjW40pKMaFzjxX5PQ91j9 <br> cK/HqjAfBgNVHSMEGDAWgBQKjW40pKMaFzjxX5PQ91j9cK/HqjAMBgNVHRMEBTAD <br> AQH/MA0GCSqGSIb3DQEBDQUAA4GBADQz5iti5Qgyd8tA40t8EPHn/kBUdYcm/FvO <br> Y2JBid1Jo1cpm0weypcqhBBIGadbip2Ozkl1cHQACoMtalb3GGVreStCZAKC0uhy <br> aF4iMjKrIPcouIxLCDpfjNPHmFFDUNzKPJyiEC6xr8mG4QdLQaQP9neQl9pIMYYV <br> R7J45FJ+ <br> -----END CERTIFICATE-----
The SAML integration is only for Single-Sign-On, so no users get automatically populated into Small Improvements. So, you still need to add user-accounts to Small Improvements via Administration -> Company Directory or import them from an Excel worksheet.
Note: A user needs to be created in Small Improvements before he/she can log in.
Adjusting the welcome email
We recommend you adjust some of the email notification templates to avoid user confusion.
Whenever you invite staff into Small Improvements, they receive an email telling them about Small Improvements. This email also explains how to define their new password. But since they will use your SSO provider’s password instead, that email template needs to get changed.
Please navigate to our Administration tab > Click into the “Emails” button > Locate the “Access to Small Improvements: Welcome Mail” email template, and then remove any mention passwords setting. You can write that people should use the password defined in your intranet instead.