Multiple Identity Providers (IdPs)
Support for multiple IdPs
Condeco can be configured to seamlessly integrate with multiple identity providers to authenticate your users.
Support for multiple identity providers (IdPs) is not available by default. Contact Condeco Support to enable this service.
The user experience
The user experience when multiple IdPs are implemented is very similar to a single IdP implementation and just includes one additional step. Before proceeding through the usual authentication process, the user must enter their full email address:
When the full email address is entered and authenticated, the user is directed to the usual login page for the domain (as per email address) where they sign in to Condeco.
SAML user flow
The following is the authentication flow for SAML when a user launches Condeco or enters the Condeco URL:
- The request is redirected to the Condeco SSO endpoint URL through the startSAML.aspx page.
- When received, the request is checked for the ‘PartnerIdpId’ parameter.
- If the ‘PartnerIdpId’ parameter does not exist, the policy is skipped and the next available policy applied.
- If the policy is matched with the configured ‘PartnerIdpId’ result value, the user is redirected to a sign-on page (Identifier First Adapter HTML page) to enter their email address.
The policy validator validates the domain from the entered email address and redirects the user to the configured IdP connections.
OAuth user flow
The following is the authentication flow for OAuth when a user launches Condeco or enters the Condeco URL:
- The request is redirected to the Condeco SSO endpoint URL through the startSAML.aspx page.
- When received, the request is checked for the ‘Client_ID’ parameter.
- If the ‘Client_ID’ parameter does not exist, the policy is skipped and the next available policy applied.
- If the policy is matched with the configured ‘Client_ID’ result value, the user is redirected to a sign-on page (Identifier First Adapter HTML page) to enter their email address.
The policy validator validates the domain from the entered email address and redirects the user to the configured IdP connections.
Language support
If the language is supported, the login page is automatically translated to the language of the browser. The following languages are supported:
- English (UK)
- English (US)
- French
- German
- Italian
- Portuguese (BR)
- Spanish
Limitations
We do not recommend integrating Condeco with your multiple IdPs if you are using the Condeco Outlook Com+ plug-in with SSO.
When integrating with multiple IdPs the new registration form only pre-populates the username. The additional fields must be entered manually.
How to request support for your multiple IdPs
Condeco does not support multiple identity providers (IdPs) by default. Follow the steps to enable the service,
- For each Active Directory, provide the following to your Condeco representative:
- Domain name.
- Meta-data file (for each domain). Metadata is an XML document containing information necessary for interaction with identity or service providers (e.g. URLs of endpoints, information about supported bindings, identifiers and public keys, etc.).
- When received, Condeco provides an assertion consumer service URL & Entity ID.
- Register Condeco on each Active Directory.