Manage users via Single Sign-On (SSO)
SSO is an authentication process that allows users to log in to multiple applications and services with a single set of credentials, irrespective of the platform, technology, or domain used. The advantages of SSO are many, the most valuable being:
Secure handling of multiple accounts and related user data
Improved security capabilities, especially if combined with multi-factor authentication
Streamlined user experience: the elimination of repeated logins increases employee satisfaction and productivity
Ability to ensure that corporate compliance rules are being followed
Smartcat provides Corporate customers with the ability to manage their users via their company’s Single Sign-On (SSO) provider. Smartcat supports four major authentication systems: ADFS, Azure AD, Okta, and DUO.
How to set up SSO for your Smartcat Workspace?
If your company uses one of these systems: ADFS, Azure AD, Okta, and DUO, you’ll need to provide our team with some basic details while raising a support ticket with Smartcat support here.
The name and software version of your SSO technology or provider, including software versions. For example: Azure AD or ADFS 4.0 on MS server 2016.
The OAuth 2.0 server endpoint is the URL where this authorization server is hosted. This is where the application will send requests to initiate the authentication process.
The public URL of your OAuth 2.0 or the ADFS server endpoint.
The ADFS server endpoint is a URL that corresponds to a specific ADFS server within an organization. It is used to handle requests related to authentication, federation, and identity management. When setting up OIDC for Azure or custom OIDC providers, you may need to provide multiple endpoints. If you're using SAML, you might also need to provide a certificate, especially when working with Azure AD or Entra ID.
Also indicate the clientId and clientSecret, if applicable.
The clientId is a public identifier for the application that’s trying to access an API or service on behalf of a user. Think of it as the "username" for your app when it communicates with an OAuth 2.0 authorization server.
The clientSecret is a confidential value that the application (client) uses to authenticate itself to the authorization server. It’s like a password for the app.
What Web domain should email addresses originate from, so that they are redirected to your SSO provider.
A test user email address to verify the SSO configuration.
After our Support team receives the ticket with all these details, our team of developers will set up the SSO on Smartcat’s end, our team will provide callback URLs to be added on your server/provider side to return Smartcat requests.
When SSO is configured and connected, users from the specified Web domain will be immediately redirected to your login URL instead of accessing the Smartcat login form.
FAQs
What is the process for a user to set up their Smartcat account with SSO?
Users should receive an invitation to set up their Smartcat account. During setup, they will be redirected to the SSO provider (e.g., Okta) for authentication. If authenticated, they will be logged in automatically.
What happens if a user tries to log in without an account in Smartcat?
If a user tries to log in without an existing Smartcat account, they will be redirected to the sign-up page to finalize their registration. Once registered, the user will either:
1. Automatically join an existing workspace if domain joining and JIT provisioning are enabled.
2. Be able to create a new workspace if no existing workspace is available to join.
Can users create their own workspaces in Smartcat?
Currently, users can create their own workspaces, but this feature is planned for removal. Workspace creation should be managed by admins, and users should be invited to existing workspaces.
Does Smartcat support multiple domains for SSO?
Yes, Smartcat supports multiple domains for SSO. Domains must be unique and not used by other clients. Provide a list of domains to the Smartcat team for configuration.
What is required to enable SSO for all users in the organization?
Provide the list of domains for federation to the Smartcat team. They will update backend configuration to enable SSO for all users under the specified domains.
Will users need to authenticate via Okta during the invitation process?
Yes, users will be redirected to Okta for authentication during the invitation process. If already authenticated, they will be logged in automatically.
What is the process for a user to set up their Smartcat account with SSO?
If a user is not in Okta and tries to log in, they will not be able to authenticate or access Smartcat. They must exist in the Okta database for the SSO process to work.
What role do users get assigned when they join a workspace in Smartcat?
Currently, users are assigned the Project Manager role by default. This may change in the future to assign a more limited default role.
How can we ensure users are invited to the correct workspaces?
Admins must manage invitations and workspace access settings. User guidance should emphasize starting from an invitation rather than accessing Smartcat directly.
How do we manage the domains and user access for SSO in Smartcat?
Provide the list of domains to the Smartcat team. Ensure all users are added to Okta for successful authentication.
What are the next steps to implement SSO for our organization?
1. Provide the list of domains to the Smartcat team.
2. Close all workspaces to prevent unauthorized access.
3. Set a go-live date and align corporate communications.
4. Perform smoke testing to confirm the setup works.
Can we test SSO with specific users before enabling it for the entire organization?
Yes, you can provide specific user details to the Smartcat team to test SSO with individual users before full implementation.
Can we use just-in-time (JIT) provisioning with Smartcat?
Yes, JIT provisioning works with Smartcat, provided the necessary security steps are completed on your end. Specifically, your Smartcat workspace must have the setting enabled that allows new users within your domain to automatically join the workspace. Once this is configured, users can be provisioned just in time and will automatically be added as managers. Please ensure domain joining is properly set up to maintain security.
Can we leverage group claims or IdP Groups to assign roles?
No, Smartcat does not support role assignments based on group claims or IdP Groups. Role configuration is managed internally using basic user information (ID, email, name, surname).
Can Smartcat support multiple domains per IdP?
Yes, as long as the domains are unique and not used by other clients.
Does Smartcat provide auditing and logging of actions?
Audit Logs can be pulled via API. Smartcat aggregates application logs and traces, but they are not directly available to customers. For investigations, Smartcat can provide internal reports.
Can the system be configured to require multifactor authentication (MFA)?
Yes, MFA can be enforced via SSO.
What will the end-user experience be like when using SSO with Smartcat?
Users will receive an invitation to join a workspace. During setup, they will be redirected to IdP for authentication. If authenticated, they will be logged in automatically. Unauthorized users will be redirected to Sign-In page.
What are the best practices for managing user access and workspace invitations?
1. Add all users to IdP before enabling SSO.
2. Provide clear guidance for users to start from an invitation.
3. Prevent unauthorized workspace creation.
4. Regularly review and update access permissions and settings.
What SSO claims will the application leverage (first name, last name, email, etc)?
Make sure your SSO application provides information about following scopes and claims:
1) scope: openid
2) scope: email, claims: email
3) scope: profile, claims: given_name (or firstname), family_name (or lastname)
What user provisioning is leveraged SCIM – System for Cross-Domain identity Management?
Current SSO implementation does not provide full SCIM capabilities, i.e. you can manage users data on your IdP end, but it won’t be propagated to Smartcat system, we do not support group provisioning, etc. Smartcat SSO supports automatic provisioning of new accounts from Smartcat side and will allow you to deny user access to Smartcat based on your IdP’s user access list for your IdP’s app
What API permission are required by the app (company enforces a Zero Trust policy)?
We need application to provide us permissions to read users’ profile and allow sign-in. I.e. based on Microsoft Graph API permissions these are profile and User.Read permissions. re: Zero Trust policy - we advise Smartcat account admins to configure access rights for their users in web portal and as for access restrictions on IdP side, we are not able to any write operations.
What is the front-channel logout URL used by the App?
We are not using logout URL in our SSO configuration
Will there be more instances for integration (DEV, UAT, TEST, etc)?
This is not planned at the moment - all testing takes place in production based on test user(s). Then we enable SSO for the whole domain(s).
Is user access granting and lifecycle managed by roles or groups that can be linked to Azure AD Groups?
No, we do not use Azure AD or similar directory systems to mange user permissions or access lifecycle.
Does smartcat supports IdP initiated login attempts?
No.
Does the SSO works when users select the Sign in with Google or any third party sign in option in the Login screen?
When SSO is enabled for Enterprise account users of this account can only login via configured custom SSO configuration. Google or any third party sign in options will no longer work for this user.
What is the process to reach out to Smartcat's Support team regarding SSO
You should reach out to our team via the form available here. Make sure to select Smartcat Platform as the Product Area and SSo request/query/issue as the Category of your query.