Single Sign-On
Overview
Single sign-on (SSO) is a secure method of authentication that allows individuals to utilize one set of credentials to access several programs and applications.
Applying this setup to Cadence, your users can invoke IdP (Identity Provider) credentials to log into the platform; Mongoose acts as the SP (Service Provider).
The following guide will assist individuals looking to have their users log into Cadence using SSO.
Before You Start
Please review the following items before proceeding:
- Only SAML 2.0-based systems are supported.
- After SSO is enabled/configured, a Cadence user account is still required for access to the platform. SSO is only used to change sign in behavior for existing users; it cannot be used as an account creation method.
- A Cadence user account with an email address that matches the email property on the IdP is a prerequisite. User IdP sign in credentials do not have to include an email address--the associated user just needs to have a matching email address stored as an attribute (we will specifically ask for email address using the name identifier property).
- Note: You do not need to do any attribute mapping to set up SSO with Cadence. We do not need an attribute or claim to be setup. We only need the SAML property called NameId to have the email address and be set for the property name id type.
- SSO is enabled at the organization level, meaning that all teams in Cadence can utilize it once enabled. Individual team-level SSO configurations are not supported.
- SSO configuration relies on base 64 encoded certificates.
- POST and Redirect methods are the only supported bindings; Artifact is not supported.
- If you want to set up filtering on your side based on our IP, here are our IP addresses:
- 23.96.112.60
- 23.96.112.117
- 23.96.112.152
- 23.96.112.15
Considerations for Existing Organizations
If your school has already been using the Cadence platform, there are some specific items to consider:
- Once enabled, SSO is turned on for the entire organization in Cadence, however, it is only in effect when the configuration is complete and Cadence user accounts have been bound to the IdP.
- Although we recommend tying all Cadence users to the IdP, if there are some Cadence user accounts that do not have credentials with the IdP, they can be set to continue to log in with Cadence-managed credentials (email address and password).
- If a user account is bound to the IdP, Mongoose will no longer maintain login credentials for the user.
- Please contact your Client Success Manager if you're interested in Single Sign On.
Configuration - Getting Started
First, Single Sign On must be enabled for your organization by your Client Success Manager or by support (support@hellomongoose.com).
Note: Only Cadence Administrators are able to configure Single Sign On (SSO).
Once enabled, navigate to your Admin drop down on the left side navigation. The SSO option will be for your entire organization (not per team) so it does not matter which team you are in when you set it up.
When setting up SSO for the first time, please be aware that information must be added on the Cadence side and with your institutions SSO Identity Provider.
You will see a quick start guide walking you through the process to add your Identity Provider information to Cadence. On the right side under "Cadence Settings" you will find the Cadence Service Provider (SP) information that will be needed to configure SSO on your institutions side.
Please note there will still be required configuration on your institutions end for adding Cadence's Service Provider information.
Adding your Identity Provider
To add your Identity Provider (IdP) information to Cadence, click "New Identity" provider. You will then be prompted to enter your IdP information including Name (this will be a display name in Cadence to identify your SSO configuration "eg. Mongoose SSO"), Entity Id, Sign In URL, Certificate and Protocol (Redirect and POST options).
Note: When inserting your Certificate, you do not need to include the header/footer (ex, -----BEGINCERTIFICATE----- or -----ENDCERTIFICATE-----)
When complete, click "Create".
Your newly added IdP will be added to the page where you can edit or delete as necessary. You can also choose to assign it to all users or set it as the default (if you have more than one).
SSO must be configured on both sides (Cadence and your institution's IdP) before it is active for your Cadence users. Once both sides have been set up, the next step is to test the connection (i.e., confirm someone on your side is able to successfully sign in).
After confirming the test was successful, the next step would be for an Admin user to log into Cadence and start binding accounts to the IdP.
Configuration - Binding Accounts to IdP
Cadence provides two ways to bind accounts:
- Assign your IdP to all Cadence accounts (across all teams). This is a great option if all users need this enabled.
- Assign individually. This option works best when adding brand new users or only a select number of people need SSO enabled.
To bind your IdP to all accounts:
1. From the navigation panel on the left hand side, click " Team Name" >SSO.
2. Click on the menu (three dots) next to the IdP you'd like to assign to all users. Click " Assign"
You will be prompted to confirm the action. Click " Assign".
To bind your IdP to individual accounts:
1. From the navigation panel on the left hand side, click "Team Name" > Users.
2. Click the Show Users in all Teams toggle.
3. Click the dots to the right of the first user and select Edit.
4. Change the Authentication Method from Cadence to your SSO configuration.
5. Click [ Update User].
6. Repeat steps 3-5 for each user you would like to bind to the IdP.
Additional Resources
Please utilize these additional resources related to SSO and signing into Cadence: