Glasscubes supports single sign-on (SSO) SAML 2.0 login standard. This has significant advantages over logging in using a username/password, which include:
- High security - above and beyond the normal user/password credentials, our partner cloud identity providers (IDPs) also provide many options such as PKI certificates, pre-integration solutions from RSA, VASCO, etc.
- User convenience - no need to remember and renew passwords. Users simply visit the link in their browser and they are automatically logged in. We can also configure your account to only allow access via your IDp/AD so users cannot access the account outside of your corporate environment.
- Additional benefits - if you use one of our cloud identity providers they support thousands of other cloud based tools. This allows you to use just one username and password to access many web based tools, which saves time and money.
Most organisations already know the identity of users because they are logged in to their Active Directory domain/LDAP. It makes sense to use this information to log users in to Glasscubes, and one of the more elegant ways of doing this is by using SAML 2.0 which is the industry enterprise standard.
How does it work?
SAML-based single sign-on gives your team members access to Glasscubes through an Identity Provider (IDp) of your choice, for example Google, OneLogin, Jumpcloud and Active Directory Federation Services 2.0.
The whole process takes less than a second and is mostly invisible to the user. These technical steps are just to explain the process:
1 - The users clicks on a web icon/link or bookmark for their Glasscubes account i.e. https://myaccount.glasscubes.com .
2 - Glasscubes detects this account is setup for SSO and redirects the browser back to the Identity Provider (e.g. OneLogin, ADFS, etc).
3 - The identity system (IDp) checks that the user is trusted and should be allowed access to Glasscubes. The IDp takes the user's email, first and last name and digitally signs the data and sends back to Glasscubes.
4 - Glasscubes checks the signed data against the customers certificate and signs in the user into the account without the user having to enter their email or password.
Just in time provisioning
We can enable just in time provisioning on your account, which means the user can automatically be added to the account without an administrator having to sign up the user. This makes it very easy for someone to invite another user into a workspace (not in to the Glasscubes account). The new user will receive an invite as normal and we will use your IDp to authenticate the user and add them to the account.
Glasscubes SSO setup
Identity Provider requirements:
- Must support SP initiated SSO
- Must support SAML 2.0
What Glasscubes needs from your Identity Provider:
- Your SSO URL (e.g. https://mycompany.onelogin.com/trust/saml2/http-post/sso/592358 or https://sso.jumpcloud.com/saml2/mycompany)
- Your Identity Provider Certificate X509 PEM file.
What you need from Glasscubes to set up your connection:
- Entity ID: https://glasscubes.com
- Security Token Consumer URL or SSO URL: https://[youraccount].glasscubes.com/sso/onelogin/consumer (where [youraccount] is the subdomain URL of your Glasscubes account)
Forward all of the information above to firstname.lastname@example.org. After we have received your details we will use your Identity Provider to authenticate your users.