Setting up an SSO

Winningtemp supports user authentication via SSO. Read on to get started.

Suggest Edits

An SSO connection requires a supplementary agreement and setting up an SSO application with your Identity Provider (IdP) in collaboration with one of our integration specialists.
Contact your customer success manager for more information about this agreement.

Technical Requirements

Winningtemp requires an SSO by SAML 2.0 and does not support multi-tenants.
An instance of Winningtemp can only have one SSO connection to one IdP at a time.
There is no user provisioning involved in this connection, it is simply used to authenticate pre-existing users.
Provisioning users can be handled separately by way of a custom user integration (as covered here https://developer.winningtemp.com/docs/integration-landing).

Custom Subdomain

As part of the setup, a custom subdomain will be generated.
This domain is then set as the destination for the Entity ID and Reply URL, and looks something like this:

This URL can be used to login, but we expect users to keep utilizing the generic login portal:

Guides

There are hundreds of identity providers out there, so it is not feasible for us to provide a guide for the SSO application setup for each individual IdP.

While there are bound to be individual differences between providers, the general process is the same with Winningtemp as any other third party application.
It is an international standard after all, so there should always be documentation available.

Claims

By default, Winningtemp is looking for User.email as the property to match.
This value is taken from the SAML-response and matched against all usernames in your instance of Winningtemp.

The following claims can be used for the purpose:

  • User.email
  • EmailAddress
  • NameID

The main takeaway here is that the username in Winningtemp has to match whatever the above claim happens to be.
As such, your users usually need to have their email as WT username.

Access Groups

While the term might differ between IdPs, the functionality remains the same.
A user has to exist in Winningtemp to be able to login, but they also need to belong to the appropriate access group in your IdP.

Some organizations opt to simply allow the entire organization and regulate access by creating/removing users within WT. While others choose to lock it to specific access groups.

This has no bearing on the connection itself, and is completely up to you.

Mixed Mode

By default, our SSO connection is strict. This means every user in your instance of WT will have to login using the SSO.

However, it is possible to activate Mixed Mode authentication, which allows select users to login with a WT password instead.

This mode is enabled through the System Settings directly in Winningtemp:

When enabled, you also have to mark each individual user that should be able to login with a password.
This is best done via the user's card in the user directory:

Updated 9 months ago