Skip to main content

Single Sign-On (SSO) and System for Cross-domain Identity Management (SCIM)

Single Sign-On (SSO) enables ALTR Administrators to sign into the ALTR platform through their Identity Provider (IdP) instead of ALTR's sign-in page. SSO makes it easy for ALTR administrators to sign into the ALTR platform from their IdP and makes it easy for IT admins to disable access to ALTR.

System for Cross-domain Identity Management (SCIM) enables IT administrators to create, modify, and remove ALTR identities (administrators) from their IdP. SCIM makes it easy for IT admins to provision, modify, and deprovision identities in ALTR.

About Single Sign-On (SSO)

Single Sign-On is a technology that enables users of software applications to authenticate into multiple different applications with a single login. In corporate environments, this is typically done through an Identity Provider (IdP). Users authenticate through their IdP, typically through a username, password, and two-factor authentication method, which then grants them access to provisioned software applications known as a Service Providers (SPs).

SSO makes it easy for individual users to access all of their provisioned software applications, as they only need to remember one set of credentials. SSO makes it easier for IT administrators to control access to software, as they can easily disable authentication to particular applications when appropriate.

About System for Cross-domain Identity Management (SCIM)

System for Cross-domain Identity Management is a technology that enables IT administrators to easily create, modify, and remove identities from third party software applications using their IdP. This makes it easy to manage user accounts, as the IT administrator does not need to log into or understand the third-party system in order to manage identities in that system.

Differences between SSO and SCIM

SSO strictly handles authentication to a SP through an IdP. If only SSO is configured for a software application, identities still have to b created in that application before a user can access it. Once the identity is created and the corresponding user is provisioned access to the application in the IdP, that user is able to authenticate (log in) to that application using their identity provider. When a user is deprovisioned to an application through their IdP, their identity will still exist in that application, but they will no longer be able to authenticate into it.

SCIM handles the creation, modification, and removal of identities in a SP. If only SCIM is configured for a software application, identities will be automatically created, modified, and removed for users of an application as they are provisioned access to the application in their IdP however, they still need to authenticate (log into) that application manually with a separate set of credentials.

ALTR supports SSO-only or SSO+SCIM integrations with various IdPs.

SSO in ALTR

ALTR supports Single Sign-On using the SAML 2.0 protocol. When configured, this enables ALTR administrators to sign into the ALTR user interface portal through their identity providers, instead of using an ALTR username, password, and two-factor authentication code. When SSO is enabled for an ALTR organization, users must sign in using SSO; username and password authentication is disabled.

SSO configuration is available to administrators with the Superadministrator for for Enterprise-tier ALTR organizations. SSO is configured on the SSO and SCIM Settings page in ALTR's UI, SettingsPreferencesSSO/SCIM. Guides are available for configuring SSO with common IdPs such as Okta and Configuring Single Sign-on (SSO) for Microsoft Entra ID (Azure AD). For help configuring SSO for other IdPs, contact ALTR Support.

When SSO is enabled for an organization, administrators of that organization must sign in using SSO. ALTR support SP-initiated and IdP-initiated SSO. When navigating to an SSO-enabled organization's login page, administrators are prompted with a Sign in with SSO button, which redirects the users to their identity provider. Alternatively, users can sign into ALTR from their IdP, but clicking the appropriate tile (or similar, depending on the IdP interface).

If SSO is enabled, but not SCIM, ALTR administrators must still be manually created before a user can access ALTR.

When authenticating users via SSO, ALTR identitifies users based on their Username in ALTR and equivilant identifier in their IdP. This lookup is case sensitive. Before configuring SSO, ALTR administrators should take care to ensure that their usernames in ALTR exactly match their usernames in their identity provider. If these usernames do not match, the administrator will not be able to sign into ALTR once SSO is enabled.

SSO can only be disabled for an organization by contacting ALTR Support. If SSO is disabled, administrators must reset their ALTR password before signing into the ALTR. They will be prompted to re-configure their two-factor authentication settings.

SCIM in ALTR

ALTR support System for Cross-domain Identity Management using the SCIM 2 protocol. When SCIM is enabled, ALTR defers all activity for creating, modifying, and removing administrators to ALTR's SCIM API, which is used by the configured IdP. Creating, modifying, and removing administrators through ALTR's UI and Management API (MAPI) is disabled while SCIM is active.

SCIM can only be configured for Enterprise-tier ALTR organizations once SSO is already configured. ALTR administrators with the Superadministrator role can configure SCIM on the SSO and SCIM Settings page in ALTR's UI, SettingsPreferencesSSO/SCIM. A guide is availalbe for configuring SCIM with Okta. ALTR has not validated SCIM support for other IdPs. For help with SCIM for other IdPs, contact ALTR Support.

SCIM can only be disabled for an organization by contacting ALTR Support. If SCIM is disabled, ALTR retains all administrator information from the time that SCIM was disabled. If SCIM is disabled, creating, editing, and deactivating admins through ALTR's UI and Management API is reenabled.