Configure single sign on (SSO)

1

Identify your domains

Your domains are on the right-hand side of your email addresses after the @ symbol for your users. Usually, it's your company name followed by .com or .co.uk, for example, the email: test.test@companydomain1.com, the domain would be compaydomain1.com.
​
To complete the following steps, gather at least one email address from each domain you wish to register and ensure that you have the ability to test email messages with at least one user per domain that is to be registered.
​
If in doubt, your IT team should be able to support you with understanding what your domains are.

2

Identify who manages your domain

Usually, someone from your IT department has access to the domain DNS. You need to locate whoever can add a TXT record to this to verify ownership of the domain.

3

Identify who manages your authentication

Usually, your IT department will manage your domain, and they're able to set up an OIDC endpoint to interact with Access Identity.
​
Common providers are ADFS and Azure AD for which we supply example steps, however, most authentication providers support this protocol.
​
Someone needs to be able to set this up for you. Ideally, this person should be someone with administrator rights in your business in case you need to come back and edit this later, such as the central IT team member.

4

Register for identity

To register each domain with Access Identity, you need to register at least one email address per domain. To do this, go to https://identity.accessacloud.com/ or http://identity.eu.access-evo.com/ (EU hosted customers) and click Create New Account.
​
​Note: If you already registered with Access Identity due to using other Access Products, when you click the link, you can either enter your password or reset your password to access your Identity account if you have forgotten this.
​
You need to do this with one email per domain you wish to set up. Ideally, this person should be someone with administrator rights in your business in case you need to come back and edit this later.
​
This is a once-off task with one user per domain. Once set up is complete, all other users are automatically moved to Access Identity, without any impact on how they login in.

5

Setup SSO

Once you've registered, you need your IT team or your domain manager to follow and complete the steps in our federation document once per domain. The document details how to configure AD FS 2016 and Azure AD. The steps for other OpenID Connect Identity Providers will be very similar.
​
Regardless of your provider, however, the key fields that are required during setup will be the Authority URL, Client ID, and Client Secret.
​
Within the Federation document, this states you need to contact your account manager to enable the user federation, this is not applicable during this domain set up and you do not need to contact your account manager.

6

Run a test

Once you have done this, sign out of Access Identity. To test your setup, go back to the homepage https://identity.accessacloud.com/ or http://identity.eu.access-evo.com/ and type your email address in. When you click next, you're automatically diverted to your internal authentication server and be able to authenticate yourself.

7

You're good to go

If you can do this and successfully get back to Access Identity, your domain is set up, and all users with the same email domain are ready to use SSO when you are migrated to identity.

What do we do if we don't have a company domain?
​

If you do not own a domain and user emails contain iCloud or Yahoo and so on, the users are unable to log in via the SSO mechanism. These domains need to log in with an Identity username and password.

Users are getting asked to login with email and password?

If users are asked to log in manually, double check with your IT team that the domains have been registered correctly.