When an Uptrends account is first created, the initial account administrator creates a login for themselves based on their e-mail address and a chosen password. Additional operators can then be added over time to give more people access to the account, where each operator logs in using their own e-mail address and password.
This works well, but as your organization changes and grows, and your teams start using more online tools and services, there are a few things to consider:
- People need to remember their Uptrends password, along with passwords from all the other online tools they are using.
- They need to perform a manual login every time they want to access Uptrends.
- From a user management perspective, it can get increasingly more difficult to control which people have access to which tools.
Easier and safer access control using Single Sign-on
To make things easier for end users as well as administrators, across all online apps your teams are using, you can use a solution that sits between your users and those online apps. Many third party products are available that offer a Single Sign-on (SSO) solution. We’ve worked with Azure Active Directory, Active Directory Federation Services (ADFS), Okta, OneLogin, SecureAuth and Duo Access Gateway, but there are many others. Any product that can support the SAML 2.0 protocol for Single Sign-on should work.
How Single Sign-on in Uptrends works
As discussed, you will need a third party product that acts as the centralized hub for your users to get access to apps, and for your administrators to control which users have access to which apps - Uptrends being one of them. In this article, we’ll refer to that product as the Identity Provider (IdP), since it takes care of proving the identity of each user when they are logging into your apps. In this setup, Uptrends is one of those apps and plays the role of Service Provider (SP).
Once you have a working IdP setup, you’ll use the IdP’s login features to make sure your users are authenticated in their browser, on their mobile devices, and so on - often based on their network credentials. Those features can also include two-factor authentication, strict password policies, et cetera. The main advantage for end users is that they no longer need to remember different passwords for different apps, and that they can access Uptrends and other apps with just a single click. Most IdPs offer an app gallery or app hub, showing all tools and services available to the user. The tools are instantly recognizable and accessible, without having to bookmark URLs, remembering the right passwords and going through the usual hassle of keeping things secure and organized.
Administrators benefit from an SSO setup because they can control which users have access to Uptrends, and to easily revoke access again when someone leaves the company or moves to a different team.
Single Sign-on setup overview
To get a working SSO setup in Uptrends, the following basic steps are needed:
- Enable the SSO option in your Uptrends account settings. Please note that Single Sign-on is available for Enterprise accounts only.
- Define a new app in your Identity Provider, using the SAML configuration data provided by Uptrends. Essentially, you only need to copy one URL: this is the Single Sign-on URL (on the Uptrends side) that is unique for the SSO setup of your organization: your IdP needs to have this URL so it knows where to send your users when they log in.
- Once defined, the new Uptrends app in your IdP will also generate SAML configuration data. This data consists of two pieces of information: your IdP’s Login URL (so Uptrends knows where your users are coming from) and the certificate generated by your IdP to digitally sign the SAML requests it sends to Uptrends. This allows Uptrends to make absolutely certain that the incoming logins are genuinely coming from your Identity Provider and not from someone else. This is a crucial part of the security of Single Sign-on. You’ll store the public key for SSO in your Uptrends vault.
- Make sure that your users are defined on both sides: your IdP runs in your own environment, so it already knows about your users. In Uptrends, each user needs their own operator (if it doesn’t already exist). When a user is logged in by your IdP, we will look at the e-mail address, so it needs to match on both sides.
- You don’t have to start using SSO for all users in one go: you can start with just one, while the remaining users keep accessing Uptrends using classic logins until you’re ready to move to SSO.
For detailed setup instructions, please read the Single Sign-on setup guide.
How can SSO users log in?
After your SSO setup is complete, you’ll want to instruct your users about logging into Uptrends. Where should they navigate to, in order to access their Uptrends account? There are two approaches:
Set up IdP-initiated SSO. This method means that your users have a centralized location they can visit (often a web page hosted by your IdP software in the form of an app gallery) in order to log into Uptrends or other SSO-enabled services. The app gallery includes a special link to Uptrends that will start the SSO login procedure. This method is called IdP-initiated because the login sequence is started on the Identity Provider’s side.
Set up SP-initiated SSO. This method assumes you don’t have a centralized app gallery or portal, but that your users need to navigate to SSO-enabled services themselves. They’ll have to specify the name of your organization in the Uptrends SSO login screen in order to initiate the login sequence that connects to your Identity Provider. Alternatively, they can create a bookmark to the subdomain
https://your-company.uptrends.com. Please contact our Support department if you want to use the SP-initiated login method. They will make sure your subdomain gets created.