Single Sign On (SSO)
TrialGrid can be configured with Single Sign on systems which support the SAML (Security Assertion Markup Language) standard.
This configuration can only be set up by TrialGrid Ltd staff by arrangement.
Authentication
When an Organization has been set up with SSO all users in that organization will sign in using the SSO provider by default. SSO Users will not be able to use the following TrialGrid functionality:
Change password
Forgot password
Enable Two Factor Authentication
All functions related to passwords and authentication of users are delegated to the SSO provider.
Important
It is possible to have users who do not use the SSO for login within an Organization which is linked to SSO. This can be useful for service accounts which are not linked to a specific individual. Unlinking a user from SSO can be requested from TrialGrid Ltd staff.
Deactivating Users
When an organization has been set up with SSO, deactivation of users is managed by the SSO provider. A user who cannot log into the SSO Provider cannot log into the TrialGrid system.
Log In
A user who is part of an Organization which is set up for Single Sign On may try to log in to TrialGrid but will be redirected to log into their SSO provider.
A user may also log into TrialGrid via a link in the SSO providers portal.
Log out
When a user authenticated via Single Sign On logs out of TrialGrid they are not automatically logged out of the Single Sign On system.
User Invitations
When SSO is activated for an Organization, the organization is associated with one or more domain names (e.g. example.com, yourcompany.com, academic.org etc). Any user invited with an email address belonging to a domain associated with an Organization will be associated with that organization and will be required to use its SSO system to log in.
For example. If I am working in a project for CompanyA and I invite a user with email alice@company**b**.com then the system will search for an Organization which is associated with "companyb.com". If it finds this organization then the user will be associated with that Organization in the TrialGrid system and will be required to log in via the CompanyB SSO system (if any) or by their password management rules in TrialGrid if not.
If a users' domain name is not associated with any Organization in the |appnamne| system then the user will be associated with the Organization the project belongs to.
For example, I am working in a project belonging to CompanyA and I invite a user with email alice@company**z**.com. If no Organization in the TrialGrid system is responsible for the companyz.com domain name then alice will be created in the current project Organization and will have to log in via whatever system (SSO or normal TrialGrid login) is active for the Organization the project belongs to.
Note that this means that the SSO system for an organization can be asked to authenticate users that it does not know (companya.com login system asked to authenticate alice@companyz.com) which will leave the user locked out.