Skip to content

Single Sign-On (SSO)

Sites can be configured to allow authentication via external identity providers. Specifically, one or more external organizations/directories can be explicitly associated with one or more ZEM sites. When a user belonging to such an external organization logs into ZEM through the external identity provider, they will be automatically gain access to any ZEM site that has been configured to allow logins from that organization.

In some cases, a user who would previously use a username and password to log into ZEM logs in through an external identity provider. See the SSO-Only section for more information on this.

Configuration

Role

The manage_auth_integrations role is required to use this feature.

In order to configure Single Sign-On for a site, go to the system settings for the site by clicking the site name banner in the top-left corner of the screen, then clicking the settings ('cog') icon next to the site name.

From there, select the 'Authentication settings' tab. Depending on the environment, you'll see one or more sections for each of the available authentication services. Note how the service card includes a link and a button:

Setup URL

Clicking this will copy the 'Setup URL' to the clipboard. You or your colleague will need to visit this URL in order to allow the ZEM integration to be used with your external organization. Admin privileges are required in the external organization to complete this step, but no ZEM account is needed.

This step is generally required before the 'Connect organization' step can be completed.

Connect organization

Clicking this will trigger the log-in flow for the external organization, which we'll use to link and verify the connection between the external organization and the ZEM site. As the user managing the authentication integrations of the site, this is a step you will have to complete, but you don't need admin privileges in the external organization to do so.

Auth settings

SSO-Only

If a "non-SSO" user (i.e. a user who has previously logged into ZEM using a username and password) logs in through an external identity provider, they will be granted "additional" access to any site that has been configured to allow logins from that organization, if they did not have prior access to the site. In most cases, the user will at this point also be converted to a so-called "SSO-only" user, meaning that they can no longer log in using their username and password. Their 2FA settings, password, password TTL, etc. will be cleared and such policies are now effectively deferred to the administrator of the external organization.

There is one exception to this rule: if the user has the rights to manage authentication integrations for all sites they have access to through the external organization, they will not be converted to an SSO-only user. This is to ensure that the user can still log in to ZEM in order to manage the authentication integrations if something goes wrong with the external identity provider or organization.