User Provisioning Overview and Options

User Provisioning is an identity management process that ensures user accounts are created, given proper permissions, changed, disabled, and deleted. This can be completed in SiQ via:

  • SCIM (System for Cross-domain Identity) is is an open standard that allows for the automation of user management. Note that SCIM provisioning requires the use of SAML SSO.
  • SSO (Single Sign-On) allows a user to log in once to their network and thereby gain access to several network-connected programs, eliminating the need to log into each system individually.

SCIM Overview

Part of hiring new employees is provisioning the applications they need to do their jobs and then during their time at your company ensure security and user accounts are up to date. When they leave your company, their access needs to be quickly revoked from the applications. Using SCIM instead of manually managing this process is less time-consuming and more accurate as a manual process is more error-prone.

scim.png

SCIM provides a defined schema for representing users and a RESTful API to update the database for those users. Also, you can set up the SSO Identity Provider (IdP) to synchronize passwords to ensure that a user’s IdP password and the User Provisioning password match.
Additionally, user profile attributes can be mapped user attributes from the source application (SiQ) and the User Provisioning Service user profile. The SCIM Integrations listed below have been enhanced to support user-defined custom attributes, which will enable the User Provisioning Service to import the attributes into SiQ.

Find more about the SCIM defined schema, see System for Cross-domain Identity Management: Core Schema.

SiQ User Provisioning Options

We recommend the following options for user provisioning:

Option Employee Data User Data SiQ Login

Option 1 – SCIM Integration and User access via SSO 

Takes the User data and populates the Employee data. Takes the User data from SSO Identity Provider. User logins via SSO
Option 2 – Multiple SCIM Integrations and User access via SSO  Takes the Employee data from HR System.  Combination of User data from different User Provisioning Services. User logins via SSO

Option 3 – Custom SCIM Integration and SSO

Takes the Employee data from a third-party HR system. 

Takes the User data from SSO Identity Provider.

User logins via SSO

Option 4 – SCIM Integration and User access via Manual Login

Takes Employee data via SCIM Integration. The employee's email address is used as part of the user's credentials. User logins manually.

Option 5 – Employee data transfer via SFTP and User access via SSO

Takes Employee data via SFTP. Takes the User data from SSO Identity Provider. User logins via SSO

Option 6 – Employee data manually imported and User access via SSO

Takes Employee data from manual upload. Takes the User data from SSO Identity Provider. User logins via SSO

Option 7 – Employee data manually imported and User access via Manual Login

Takes Employee data from manual upload. The employee's email address is used as part of the user's credentials. SiQ User logins manually

 

Option 1 – SCIM Integration and User access via SSO

User Data and Employee Data

User data can be transferred via the SCIM synchronization then SiQ will use this data to populate the Employee data. Also, your employees will log into SiQ via SSO.

option1.png

SiQ has the following SCIM integrations available, or you can use the Custom SAML & SCIM Integration (see Option 3).

User Access

For the SSO overview and setup, see SSO Overview.

For how your employees will use SSO to access SiQ, see SSO (Single Sign On) and SiQ.

Option 2 – Multiple SCIM Integrations and User access via SSO

User Data and Employee Data

Employee data and User data are taken from a combination of integrations such as:

  • Two or more SCIM Integrations
  • HR System and an SSO Integration
  • SCIM Integration and an SFTP data transfer

Also, your employees will log into SiQ via SSO.

option2.png

User Access

For the SSO overview and setup, see SSO Overview.

For how your employees will use SSO to access SiQ, see SSO (Single Sign On) and SiQ.

Option 3 – Custom SCIM Integration and SSO

User Data and Employee Data

SiQ offers a number Third-party Integration Applications pre-integrated to allow customers to seamlessly integrate employee provisioning and authentication. You will find there are other vendors whose platforms are not yet formally integrated.

The Custom SAML and SCIM integration allow providers without a pre-integration process to integrate through SAML and SCIM into SiQ as long as their specific vendor’s platform supports a common “custom integration” feature.

option3.png

For more details, see Custom SAML & SCIM Integration.

User Access

For the SSO overview and setup, see SSO Overview.

For how your employees will use SSO to access SiQ, see SSO (Single Sign On) and SiQ.

Option 4 – SCIM Integration and Users access via Manual Login

User Data and Employee Data

With this option your IT team will need to:

  • Set up the SCIM User Provisioning.

Then your SiQ Admin will need to:

  • Notify the employee that they will log in to SiQ manually and inform them their email address is used to reset their password.

option4.png

User Access

For how you employees will log manually access SiQ, see Manual Login and SiQ.

Option 5 – Employee data transfer via SFTP and User access via SSO

Employee Data and User Data

With this option your IT team will need to set up a process for:

  1. Extract the Employee data from the ERP System to a flat file such as a .CSV file. Note a script can be used to automate the extraction to be completed, for example, daily.
  2. Use SFTP to transfer the file.
  3. SiQ will automatically import the Employee data into SiQ.

option5.png

For how to set up SFTP, see SFTP Employee Import.

User Access

For the SSO overview and setup, see SSO Overview.

For how your employees will use SSO to access SiQ, see SSO (Single Sign On) and SiQ.

Troubleshooting

If you find your employees in the situation where they can't log in to SiQ then see User Can't log in to SiQ.

Option 6 – Employee data manually imported and User access via SSO

User Data and Employee Data

With this option your IT team will need to set up a process for:

  • Extract the Employee data from the EFP System to a flat file such as .CSV file.

Then your SiQ Admin will need to:

  1. Manually import the employees, see Add or Remove Employees via an Employee Import.
  2. Notify the employee that they will log in to SiQ manually and inform them their email address is used to reset their password.

option6.png

User Access

For the SSO overview and setup, see SSO Overview.

For how your employees will use SSO to access SiQ, see SSO (Single Sign On) and SiQ.

Option 7 – Employee data manually imported and User access via Manual Login

Employee Data and User Data

With this option your IT team will need to set up a process for:

  • Extract the Employee data from the ERP System to a flat file such as a .CSV file. Note a script can be used to automate the extraction to be completed, for example, daily.

Then your SiQ Admin will need to:

  1. Manually import the employees, see Add or Remove Employees via an Employee Import.
  2. Notify the employee that they will log in to SiQ manually and inform them their email address is used to reset their password.

option7.png

User Access

For how you employees will log manually access SiQ, see Manual Login and SiQ.

SSO Overview

SSO is the most popular method for SiQ's customers. It allows a user to log in once to their network and thereby gain access to several network connected programs, eliminating the need to sign into each system individually.

SiQ supports single sign on(SSO) logins through SAML 2.0 and a SAML 2.0 identity provider can take many forms, such as ADFS or Okta.

Security Assertion Markup Language (SAML) is an XML based open standard data format used to authenticate and authorize data between Identity Providers (IDP) and Service Providers (SP).

Security Assertion Markup Language (SAML) is an XML based open standard data format used to authenticate and authorize data between Identity Providers (IDP) and Service Providers (SP).

SiQ utilizes the SAML 2.0 standard as defined by the OASIS Technical Security Committee via a third-party library called Component Space.

The SAML standard defines the following roles and facilitates communication between them to create the

Single Sign On process:

  • User is the person logging into SiQ
  • Identity Provider (IDP) is the business
  • Service Provider (SP) is SiQ

The SAML 2.0 Single Sign On process can be either IPD initiated, or SP initiated.

When the process is IDP initiated, then the user is taken to the IDP web login.

When the process is SP initiated, the following exchange of data takes place:

  1. User browses to the Service Provider’s URL.
  2. Then the user clicks the SSO button.
  3. The Service Provider communicates with the Identity Provider to authenticate the user’s credentials.
  4. When access is granted by the Identity Provider, the user is automatically logged into the SiQ product.

Where access is not granted by the Identity Provider, e.g. due to timeout, the user will either:

  • receive a notification from the Identity Provider and will be unable to access the SiQ application.
  • receive a notification from the Identity Provider and be requested to verify their login details.

sso_explained.png

Work with your SAML 2.0 Identity Provider

You will need to check with your IT team to find out whether or not your business has SSO already set up for other applications.

Either your IT team will use the existing Identity Provider, or they will need to choose a vendor to engage with and then work with the Identity Provider to gather information.

Then your IT team will need to complete the following:

  1. Install and configure the SSO Identify Provider.
  2. Activate the SiQ Integration and configure the settings.

sso_integration.png

SiQ has the following integrations available, or you can use the Custom SAML & SCIM Integration (see Option 3).

SSO (Single Sign On) and SiQ

Depending on how your company has set up the SSO you will complete the SSO via your primary application or directly from the SiQ login screen.

For more details, see How do I Log in to SiQ?

Option 1

Your employee will log from the User Provisioning Service Portal. The employee will complete the following:

  1. Receive an email notifying them that your SiQ environment is using SSO.
  2. Log in to the primary application first and locate the SiQ Web App.
  3. Click the SiQ Web App and you will be automatically authenticated and logged in to SiQ.

Integration Notes:

When your IT team sets up the integration the following fields are used to set up this option:

  • {User Provisioning} Portal URL field contains the URL where the employee will find the SiQ Web App.
  • SSO Redirect URL field - this field is optional and it contains the URL the employee will be redirected to after they log out.

sso_option1.png

Note: If your company wants to use Two-Factor Authentication, then refer to Two Factor Authentication Settings.

Option 2

Your employee will log from the SiQ Web App. The employee will complete the following:

  1. Receive an email notifying them that your SiQ environment is using SSO.
  2. In a browser's URL field, enter the https://main.spaceiq.com/
  3. Clicks the Login with SSO button and they will be automatically logged in to SiQ.

sso_option2.png

Manual Login and SiQ

For your employees to manually log into SiQ your SiQ Admin will need to complete the following:

  1. Add the Employee into SiQ manually.
  2. Optional – The Employee will have a default role called Viewer, if they need a role different role then this can be assigned. See Update Employee(s) Manually.
  3. Send an email to the employee to notify them of their SiQ username.

Then your employee will log from the SiQ Web App. The employee will complete the following:

  1. Receive an email notifying them that they will need to log in manually and reset their password.
  2. Reset their password.
  3. Log into SiQ manually.

For more details, see How do I Log in to SiQ?

manual_login.png