Explanation of Enterprise SSO and setup

What is Enterprise SSO?

When logging into the Usercentrics Admin Interface / Account Management, we provide different options such as verification via E-mail or the Social Identity Providers by Google and Microsoft.

Enterprise SSO on the other hand connects your company login with the Usercentrics login system. For instance if your company is using its own authentication with Azure Active Directory, the SSO can be connected to your environment so you can login to the Usercentrics applications with your existing company login credentials.

Which SSO authentications methods are available?

We suggest to use OpenID Connect which supported by most identity providers and from our experience the easiest variant to implement. Even other customers that use Microsoft Azure Active Directory are using OpenID Connect which is natively supported by Azure AD. If you want to use another authentication method, please reach out to our support to clarify the details.

Are there any costs related to Enterprise SSO?

Additional costs apply when using Enterprise SSO for the Login to Usercentrics. For further information, please reach out to your respective salesperson at Usercentrics.

How to connect the login system with Usercentrics Enterprise SSO

In order to use SSO you need to connect your system to our system. The following steps describe the implementation process and information we need from you when using OpenID connect:

Configure your login system for a new OpenID connect connection and provide us (Usercentrics) with all of the following information:
1. Issuer URL (ends with .well-known/openid-configuration)
2. Client ID
3. Client Secret
4. for which domains your login system should be activated (for example all users with e-mail address @company.com)
Allow the following callback URLs in your system:
1. https://login.usercentrics-sandbox.eu/login/callback (for our test system)
2. https://login.usercentrics.eu/login/callback (for production)
Our tech team configures the Enterprise SSO login according the given information.

FAQ - Frequently Asked Questions

Is there any more detailed explanation for a setup with Microsoft Azure AD?

To setup OpenID Connect in Microsoft Azure Active Directory, following this steps:

Register a new app as described in this article https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app
Make sure you allow the Redirect URIs to our login system as mentioned above
Make sure you have created a Client Secret and provide the Value (not ID!) to us
The Issuer URL can be found under the “Endpoints” button in your app overview section

The following screenshot illustrates the final results and where to find the mentioned information / configuration:

What is a client secret when Microsoft Azure AD is used?

The steps to create a client secret are described at https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app#add-a-client-secret.

Important

You need to provide the secret value (not the “secret id”)!

How can I define from our login system that only certain users can access Usercentrics or a certain setting?

Enterprise SSO currently only supports Authentication (“who” is the user) and not Authorization (“what” permission the user has). The permissions need to be configured via the Usercentrics Account Manager, however if a user is blocked or removed in your login system the user will also not have access to the Usercentrics settings anymore (as the user can not login anymore).

Which OpenID scopes or groups do you support?

Currently, we request the default OpenID scopes openid profile email. Custom scopes might be supported in the future.

You seem to support “Login with Google”, can we use this?

This is possible, but this is not “Enterprise SSO” (it can just be used without additional setup). The main difference is, that “Login via Google” can not be enforced which is possible when using Enterprise SSO.

You seem to support “Login with Microsoft”, can we use this?

No, the “Login with Microsoft” button refers to the “Social Login” platform “Microsoft Live” (http://login.live.com) and is not compatible with Microsoft Enterprise Active Directory logins.

Will any data be transferred outside the EU when working with Auth0?

Although Auth0 is an US based company, we’re using the “EU tenant” option which means that all login related data will stay on EU servers.

How can I securely share my ClientID and Client Secret with Usercentrics?

This is inherently up to you, the customer. If you are fine sending it via email then you can go with this approach. But you can also provide us “one-time” links to the sensitive information you need to share with us.

My OIDC Secret / SSO Certificate has expired, what should I do next?

Please contact our support to provide us with the new "client secret", so we can update it at our identity provider.

I want to provide a link or bookmark in our (the customers) internal system that directly leads to Usercentrics (also known as Identity Provider-Initiated Single Sign-On). Why is the login page shown again although our users are already logged-in in our system?

In general Usercentrics does not offer a Identity Provider-Initiated Single Sign-On process, because of the security risks explained at https://auth0.com/docs/authenticate/protocols/saml/saml-sso-integrations/identity-provider-initiated-single-sign-on. However, we have implemented the suggested workaround:

Normally customers visit the Usercentrics page directly and the system detects, once the e-mail address is entered, that this login is an Enterprise SSO Login. If you want to create a bookmark to Usercentrics and log-in the SSO user automatically, you have to add a connection parameter to the URL like https://account.usercentrics.eu?connection=<connection-name> . Please ask the Usercentrics Support which <connection-name> needs to be used. This will cause a redirect chain without a Login screen being displayed (if all sessions are still valid).