Corporate Login (Single Sign-On): Managing Users

 

About

Corporate Login/Single Sign-On allows users to log into ProntoForms using their corporate login credentials, provided by Identity Provider systems like Okta, Active Directory, or Onelogin.  Read more about Corporate SSO.

Often, our customers have some users who are supposed to use SSO (like employees) while others aren't allowed to use SSO (typically contractors, who don't have a managed identity).  

When you are using Single Sign-On, it's important to set up users correctly by indicating if they are supposed to use Single Sign-On or not.  This allows our Technical Support team to easily identify users who are supposed to use SSO, so they can assist them properly.   It also allows the ProntoForms system to identify users who are supposed to use SSO, so that we can give these users an experience tailored to this method of logging in. 

[ top ]

 

Getting Users Ready to use Corporate Login

There are a things to consider when setting up ProntoForms users if Corporate Login is enabled.

1. The user must exist within both ProntoForms and the IdP

A user account must exist on your team's accounts with both the service provider and the identity provider.  ProntoForms user accounts cannot be created on the fly when users log in through your Identity Provider.

 

2. Usernames

ProntoForms usernames and IdP usernames must match.  

  • The ProntoForms and IdP usernames could both be "johndoe".
  • The ProntoForms username could be "johndoe@yourcompany.com", and the IdP username could be "johndoe".

In the SSO configuration, a "username suffix" can be defined so that the ProntoForms and IdP usernames can be matched.  In the second example above, the username suffix would be "@yourcompany.com".

 

3. Setting up a user to use Single Sign-On

See below to learn how to set up users to ensure they can only log in with SSO, and to tailor their experience for this kind of login.

[ top ]

 

Set up a User to use Corporate Login/Single Sign-On

NOTE: Before setting up users to use Single Sign-On, ensure that you have configured Single Sign-On for your team

 

Create a user who will use Corporate Login:

  1. In the Top navigation, go to Users & Groups, mouse over Users, then select Create User


  2. Fill out the rest of the required user settings.  Read here for more information on these other settings. 
  3. Turn on the "Must Use Corporate Login" checkbox.

 

This setting affects the following aspects of this user's experience when using ProntoForms:

  • Password:  Since this user will not be logging in with their ProntoForms credentials, you will no longer see an option to set or change their password, as they will not actually have a password.

  • "Forgot Password"/Password Reset:  If a user has forgotten their password, they will not be able to set (or reset) a ProntoForms password in our system.  This will ensure they are forced to use their corporate credentials and don't have an alternate way to log in.

    If they try to use "Forgot Password", they will instead receive an email directing them to contact their Single-Sign-On Problem Contact person for help with their corporate credentials.

  • Password Expiry: Users will be exempt from Password Expiry in the ProntoForms system, since they do not have a password in our system.  If you would like password expiry rules, configure them in your Identity Provider system. 

  • Account Lockout: If users enter an incorrect username and password incorrectly multiple times, their account will not be locked out.   If you would like accounts locked out after unsuccessful login attempts, configure this in your Identity provider's system. 

  • Miscellaneous System Emails:  In certain cases, our system sends emails to users when they are having trouble logging in.  If the user has "Must use Corporate SSO" enabled, our emails will remind them to use their corporate credentials, and direct them to to your Single Sign-On Problem Contact for help with those credentials. 

Note: You must have at least one Admin user on the team who has this setting OFF.  This user can still log in with Corporate Login, but will also be able to have a password.  This is for backup purposes.

 

If a user has already been set up to use Corporate Login only, this setting will show up on their user profile.



Switching an Existing User to "Must use Corporate Login"

Edit an existing user and turn the same checkbox on.   This will result in:

  1. The user's password being cleared
  2. The user will be sent an email to let them know of this change, and with directions to log in correctly. 

Note: If this user is actively using the ProntoForms app already, doing this will interrupt their experience, as they will be forced to log in again with their Corporate login credentials before continuing to fill out or submit forms.  Because of this, we recommend changing this setting in "off" hours, or when you have warned the user that it will happen.

[ top ]

 

Mass Enforce Corporate Login/Single Sign-On

Typically, ProntoForms customers set up SSO after many of their users have been using ProntoForms for quite some time.  In this scenario, it would be difficult to turn on the "Must use Corporate Login" on each user individually.  

You can Mass Enforce SSO, which turns that setting on for many users at once. 

  1. Go to your Team Settings.

  2. Enter the Security tab.
  3. Mouse over the Single Sign-On header, and select Mass Enforce SSO. 
  4. Choose between one of two options:
    • Enforce SSO for everyone except the selected users:
      • Use this when you will be changing most users to "Must use Corporate Login"
    • Enforce SSO for the selected users:
      • Use this when you will only be changing a few users to "Must use Corporate SSO"
  5. Select the appropriate users; find them by typing their names or usernames.

 

Note: If the users are actively using the ProntoForms app already, doing this change will interrupt their experience, as they will be forced to log in again with their Corporate login credentials before continuing to fill out or submit forms.  Because of this, we recommend changing this setting in "off" hours, to avoid disrupting your field team. 

[ top ]

 

Download SSO User List

Download a list of all the users on the team, including some settings that are specific to Corporate Login/SSO.  This should help you easily be able to tell if your Single Sign-On settings are correctly configured.

  1. Go to your Team Settings.
  2. Enter the Security tab.
  3. Mouse over the Single Sign-On header, and select Download SSO User List.

 Sample Export

 

Fields:

  • SSO Username:  This is the username ProntoForms is expecting from your Identity Provider for each user.  It is a combination of the ProntoForms username and the Suffix configured in the SSO Settings.  If this looks incorrect, your users will not be able to log in;  update either the usernames or the suffix until the "SSO username" matches what you see in your Identity Provider system
  • SAML External Alias: This is only used when the username + suffix combination is not flexible enough to make your the usernames in your Identity Provider system.  It is configured by creating an alias on the user with the system as "saml".
  • Corporate Sign-On Only:  If "TRUE", then the user is set up as "Must Use Corporate SSO."

[ top ]

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments