Single sign-on (SSO) is a process that allows a user to access multiple IT services with only one sign-on. Dialog Insight offers SSO for connecting to its platform via your identity provider (IdP). Thus, users already connected to your system will therefore be able to use the Dialog Insight platform without having to connect to it since they are already authenticated in your system. Having data security and the user experience of its customers at heart, Dialog Insight strongly recommends the implementation of SSO. By default, Dialog Insight manages users and passwords locally. However, if your organization already has an identity provider, you can use it to allow your users to log in to the platform without having to manually create and configure an account beforehand. In this article, you'll learn how to check if your IdP is compatible with Dialog Insight's SSO and what elements you need to configure in your IdP. You can then complete the application form, which you can download at the end of this article. If you need more details, you can consult the FAQ at the end of the article.
Step 1: Verify the Compatibility of the IdP
Supported Modes
Your IdP must be SAML 2.0 (Security Assertion Markup Language) compatible and allow field customization. SAML offers several communication modes. We only support the most common communication mode: "POST".
Cryptographic Signature
All exchanges contain an RSA cryptographic signature to authenticate the origin of the message and its integrity. The public keys of both parties are exchanged via metadata files. The following hash algorithms are supported: SHA-1, SHA-256, SHA-384 and SHA-512.
Permission Groups and User Attributes
You need to rethink account security in terms of permission groups. When SAML is used in a Dialog Insight account, it is no longer possible to configure user permissions individually: everything must be managed through permission groups. Therefore, create a set of groups that cover all security and permission requirements.
You must verify that you can create and transfer additional system attributes to us to represent user permissions. These attributes must be sufficient to populate all required fields in the user profile and security attributes (if used in the account), and to determine which user has the right to access the Dialog Insight platform based on the permission group assigned to that user.
→ See the Permission Groups of Dialog Insight
Step 2: Configure the IdP
2.1 Metadata URL
Dialog Insight will provide you with a metadata URL to add to your IdP upon request. Contact our team to obtain the metadata URL.
2.2 Transmission of user profile fields (attributes)
You need to add attributes to your users' profiles in the IdP to define the profile fields that will be passed in the authentication response (SAML). These fields will be used to generate a user account for a user upon their first login. The fields you deem necessary may already exist in the IdP (such as email, first name, and last name).
2.3 Groups and Permissions
When SSO is used, user permissions in Dialog Insight are assigned from permission groups configured within the platform. Each user is associated with a permission group that determines their access level during authentication. Dialog Insight offers predefined permission groups, but it is also possible to create custom groups upon request.
On your end, you must ensure that the groups defined in your IdP correspond to the desired access levels in Dialog Insight. For example, if you want to limit access to Dialog Insight to certain users, you could create a "hasAccessToDialogInsight" field (generic access for a campaign manager) or "adminHasAccessToDialogInsight" (admin access).
In the configuration form (next step), you will need to provide a mapping between your permission groups in the IdP and those in Dialog Insight so that each user is automatically associated with the correct group upon login.
Step 3: Fill Out the Request Form
When the IdP configuration is completed, please download the request form, fill it and return it to us.
FAQ
If my company implements SSO, do all my users have to use SSO to log in?
Regular users (with a platform-specific password) can still exist alongside users managed by an identity provider. Therefore, it is not necessary to transfer all your current users to your identity provider.
What happens when a user log in for the first time?
The first time a user logs in using the identity provider, a new user account will be created. For existing users, this will create a separate, second account. Creating a new account means that all previous settings configured by the user will no longer be associated with their current account (for example, notification subscriptions).
How are the permissions managed?
Each time the platform is accessed using SAML, the user's information and permissions will be updated. The information and permissions from the last login will then be replaced by the information provided by SAML. This information includes all the content specified in the configuration (first name, last name, security attributes, etc.).
How do we delete a user?
There is no SAML-based method where a user on the platform will be automatically deactivated after deactivation in the identity provider, since data synchronization only occurs upon user login. However, the user will no longer be able to log in because the IdP will not return permissions upon login. Therefore, deletion remains a manual process.
Note: When setting up SSO on an existing project, since new users will be created, it is recommended to remove or disable duplicates with the old classic profiles to force the use of SAML.
If I modify a permission group in the IdP, do the changes apply immediately?
No. The certificate is synchronized once a day, at night. If a user is logged in, they will need to log out for the changes to apply to their permissions.
Request Form
You can download the request form below.