Single Sign On (SSO)¶
TrialGrid can be configured with Single Sign on systems which support the SAML (Security Assertion Markup Language) standard.
This configuration can only be set up by TrialGrid Ltd staff by arrangement.
When an Organization has been set up with SSO all users in that organization will sign in using the SSO provider. Users will not be able to use the following TrialGrid functionality:
Enable Two Factor Authentication
All functions related to passwords and authentication of users are delegated to the SSO provider.
When an organization has been set up with SSO, deactivation of users is managed by the SSO provider. A user who cannot log into the SSO Provider cannot log into the TrialGrid system.
A user who is part of an Organization which is set up for Single Sign On may try to log in to TrialGrid but will be redirected to log into their SSO provider.
A user may also log into TrialGrid via a link in the SSO providers portal.
When a user authenticated via Single Sign On logs out of TrialGrid they are not automatically logged out of the Single Sign On system.
When SSO is activated for an Organization, the organization is associated with one or more domain names (e.g. example.com, yourcompany.com, academic.org etc). Any user invited with an email address belonging to a domain associated with an Organization will be associated with that organization and will be required to use its SSO system to log in.
For example. If I am working in a project for CompanyA and I invite a user with email alice@company**b**.com then the system will search for an Organization which is associated with “companyb.com”. If it finds this organization then the user will be associated with that Organization in the TrialGrid system and will be required to log in via the CompanyB SSO system (if any) or by their password management rules in TrialGrid if not.
If a users’ domain name is not associated with any Organization in the |appnamne| system then the user will be associated with the Organization the project belongs to.
For example, I am working in a project belonging to CompanyA and I invite a user with email alice@company**z**.com. If no Organization in the TrialGrid system is responsible for the companyz.com domain name then alice will be created in the current project Organization and will have to log in via whatever system (SSO or normal TrialGrid login) is active for the Organization the project belongs to.
Note that this means that the SSO system for an organization can be asked to authenticate users that it does not know (companya.com login system asked to authenticate firstname.lastname@example.org) which will leave the user locked out.