Single Sign-On (SSO) is a service permitting the use of one set of login credentials (username and password) to access multiple applications.
SSO is an add-on to EngagementHQ and is not included in any standard license. If you like to enquire more or buy the add-on, please contact us via chat or email us at firstname.lastname@example.org
Why use SSO in EngagementHQ?
Single Sign-On (SSO) can help improve your admin user experience. With SSO you don't have to register a new account and remember a new username and password. Instead, you and your colleagues can simply log into EngagementHQ with the same credentials you use to log into your existing systems every day at work.
How does it look?
With SSO enabled your EngagementHQ login screen will have a new button that allows your staff to log in with their organization's details. Depending on the role you have given them they will then either have access as a project admin, site admin or a hub admin.
The wording and color of this 'Council Staff Sign In' button can be customized.
The Login Flow
There are two slightly different flows when you log in via SSO.
Assume you are not logged into your work network yet. Clicking on Council Staff Sign In will direct you back to your work network portal. Enter your username and password there and after logging in you will get redirected back to EngagementHQ where you are logged in.
Assume you have logged into your work network already. Clicking on Council Staff Sign In, will direct you back to your work network and straight away back to EngagementHQ where you are logged in. There is still a redirect back to your work network as the authorization still has to occur but you are not prompted to enter a username/password again nor is the re-direct visible to you.
After logging in with SSO, you have the same rights as before. Project admins, Site admins, and Hub admins will be logged in as per their respective roles.
If a user is logging in via SSO to their EngagementHQ site for the first time and their accounts have not been set up, these users will be participants on the site and a participant account will be automatically created on the EngagementHQ site. Site admins can then upgrade them to a project admin or a hub admin.
In PRM, you can see the participants who have logged in via SSO and use our filter mechanisms to create and manage groups. Participants who have logged in via SSO are no different from other participants in technical terms. It is only their method of connection that changes.
The Technical Detail
Currently, we offer SSO for any Identity Provider (IdP) that supports SAML (Security Assertion Markup Language). SAML-based SSO services involve communications between the user, an Identity Provider (IdP) that maintains a user directory, and EngagementHQ. When a user attempts to access EngagementHQ, we will send a request to the IdP for authentication. EngagementHQ will then verify the authentication and log the user in as a project admin, site admin, or hub admin, depending on their roles.
Examples of IdPs we have worked with are:
Microsoft Active Directory Federation Services
Important: We do not support IdP-initiated logins.
As an administrator logging in via SSO you will not be able to delete any projects. This is because as a security mechanism we require anyone who wants to delete a project to enter their EngagementHQ password. Since SSO administrators do not have an EngagementHQ password, you cannot proceed. Our support team can do this for you however, simply ask us via chat or email us at email@example.com and we will do it for you in no time.
EngagementHQ does not enforce SSO and allows normal username password login, since there are times when SSO is down and clients still want to use the system.
*We use a service called Auth0 to facilitate the authentication on our behalf. Auth0 is one of THE leading services for identity authentication.
The Workforce SSO login is for site admins, project admins, and hub admins
Contact our support team if you need any further assistance via chat or email firstname.lastname@example.org