SSO (Single Sign-On) FAQ

What is SSO Enforcement?

SSO Enforcement is a security feature that disables all non-SSO ("back-door") login methods once SSO is enabled. This ensures that users can only authenticate through your configured identity provider, providing centralized access control and enhanced security.

How do I enable SSO Enforcement?

Step 1: Configure SSO Provider

1. Navigate to Admin Console > Security Configuration
2. Enable the "Enable SSO" checkbox
3. Select your SSO provider (Okta, Azure AD, SAML 2.0, or OIDC)
4. Configure the provider-specific settings:
   • Okta: Enter Client ID and Issuer URL
   • Azure AD: Configure Azure AD integration
   • SAML 2.0: Upload certificate and configure endpoints
   • OIDC: Enter client credentials and endpoints

Step 2: Enable Enforcement

1. Check the "Enforce SSO Only" checkbox
2. Click "Save Configuration"
3. Test the configuration with a test user

Step 3: Migration Planning

• Warning: Once enabled, all existing password-based logins will be disabled
• Communicate with users about the change
• Ensure all users are provisioned in your SSO provider
• Have a rollback plan ready

What happens when SSO is enforced?

When SSO enforcement is active:

• ✅ Users are redirected to your SSO provider for authentication
• ✅ Password-based login forms are hidden
• ✅ API endpoints reject non-SSO authentication attempts
• ✅ All authentication events are logged for audit purposes

Can I test SSO before enforcing it?

Yes! Enable SSO without enforcement first:

1. Enable "Enable SSO" but leave "Enforce SSO Only" unchecked
2. Users can choose between SSO and traditional login
3. Monitor SSO adoption and resolve any issues
4. Once confident, enable enforcement

What are the supported SSO providers?

Okta

• Protocol: SAML 2.0 and OIDC
• Setup: Client ID, Issuer URL, Redirect URI
• Features: Multi-factor authentication, user provisioning

Azure Active Directory

• Protocol: SAML 2.0 and OIDC
• Setup: Azure AD application configuration
• Features: Conditional access, Azure AD groups

SAML 2.0 (Generic)

• Protocol: SAML 2.0
• Setup: Entity ID, SSO URL, X.509 certificate
• Features: Compatible with any SAML 2.0 provider

OIDC (Generic)

• Protocol: OpenID Connect
• Setup: Client ID, Client Secret, Issuer URL
• Features: Modern OAuth 2.0 + OIDC flow

What are the security benefits of SSO?

Centralized Access Control

• Single source of truth for user identities
• Centralized password policies and MFA requirements
• Immediate account deactivation across all applications

Enhanced Security

• No password storage in Cliqer
• Consistent security policies across all apps
• Integration with enterprise security tools

Compliance Benefits

• Supports SOC 2, ISO 27001, and GDPR requirements
• Centralized audit logging
• Reduced risk of password-related breaches

What happens to existing user accounts?

Automatic Migration

• Existing users are linked to SSO identities by email address
• No data loss occurs during migration
• User preferences and settings are preserved

Account Matching

• Users must log in with SSO using the same email as their existing account
• If no match is found, account creation may be required
• Admins can manually link accounts if needed

Can I disable SSO enforcement?

Yes, but with caution:

1. Uncheck "Enforce SSO Only" in security configuration
2. Password-based login becomes available again
3. Users can choose their authentication method
4. SSO remains configured for users who prefer it

What if my SSO provider is unavailable?

Fallback Options

• No Automatic Fallback: SSO enforcement means no alternative login
• Plan for Downtime: Have monitoring and incident response plans
• Admin Access: Ensure admins have alternative access methods

Best Practices

• Configure multiple SSO providers for redundancy
• Set up monitoring alerts for SSO provider health
• Document emergency access procedures
• Regularly test failover scenarios

How do I troubleshoot SSO issues?

Common Issues

"Invalid SAML Response"

• Check certificate validity and format
• Verify SAML assertion structure
• Confirm time synchronization between systems

"OIDC Configuration Error"

• Validate client credentials
• Check redirect URIs match exactly
• Verify token endpoints are accessible

"User Not Found"

• Ensure user exists in both SSO provider and Cliqer
• Check email address matching
• Verify user provisioning settings

Debugging Tools

• SSO Logs: Check audit logs for detailed error messages
• Network Tab: Monitor HTTP requests and responses
• Browser Console: Check for JavaScript errors
• SSO Provider Logs: Review provider-specific logs

Can I use multiple SSO providers?

Currently, only one SSO provider can be active at a time. However, you can:

• Configure different providers for different environments
• Use identity federation if your provider supports it
• Implement custom SSO solutions for complex scenarios

What are the API implications?

Authentication Endpoints

• /api/auth/login - Disabled when SSO enforced
• /api/auth/sso/callback - Active for SSO flows
• /api/auth/me - Works with SSO tokens

API Key Authentication

• Remains available regardless of SSO settings
• Can be restricted by IP allowlists
• Separate from user authentication

Security Standards Compliance

SSO enforcement helps meet:

• NIST SP 800-63: Digital Identity Guidelines
• ISO 27001: Information Security Management
• SOC 2: Security, Availability, and Confidentiality
• GDPR: Data Protection and Privacy

Need Help?

If you encounter issues:

1. Check the audit logs for detailed error messages
2. Review your SSO provider configuration
3. Contact support with specific error messages
4. Provide SSO provider logs if available

Related Documentation

• Okta SSO Setup Guide
• Azure AD Integration
• SAML Configuration
• Security Configuration API