Using single sign-on (SSO) with Fuse

Fuse fully supports SAML 2.0 Single Sign On (SSO) which enables customers to use their standard company login credentials to authenticate to Fuse. This is supported across both the Fuse web app and Fuse mobile apps.

Fuse SSO is typically configured as part of the Fuse implementation process for new customers. However, existing customers can also request that their Fuse is enabled for SSO via their Customer Success contact.

Customers are required to have the necessary SAML SSO and Identity Provider (IDP) infrastructure in place. Fuse will be configured as a Service Provider (SP) application.

Support for SAML (Security Assertion Markup Language) ensures compatibility with all the common SSO Identity Providers including; Microsoft ADFS, Microsoft Azure AD, Google IdP, Okta, Ping Federate, OneLogin and ForgeRock.

For further information on SAML please visit:

http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html

Fuse supports both the standard SAML login flows; SP-Initiated and IDP-Initiated as standard.

SP-initiated
Users go to their Fuse instance URL which redirects them to their IDP login page. After successfully entering their standard login credentials they are automatically redirected back to their Fuse landing page. This flow is the standard SSO flow for web access and Fuse mobile apps.

IDP-initiated
Users that are on-premise (or logged in via VPN) and typically already authenticated to their company network. Customers can configure a special custom link for Fuse (often in the form of a published application icon) that transparently logs them into Fuse. Note that this flow is less common so not all customer SSO implementations are configured to support IDP-initiated SSO.

Multi-factor authentication (MFA)
Customers can use their own MFA solutions with Fuse as long as these are used in conjunction with their SSO implementation. MFA will add an additional step where the user will be prompted for a pin code (for example) before they are then redirected into Fuse.

Single logout (SLO)
As standard, if a user clicks the Logout option in Fuse they will be logged out of the Fuse application. In some cases customers may also want to enable full Single Logout (SLO) support. SLO is part of the SAML specification and will tear down the user’s session on the IDP as well as log them out of Fuse. However, it should be stressed that once enabled, if a user logs out of Fuse they will also be automatically logged out of all their open web applications where SLO is enabled. This functionality is part of the SAML SLO specification.

Dual login
For customers with both internal users with SSO accounts and external users who do not have SSO accounts, Fuse can support separate login options. Users access Fuse via a custom login page. This page will be customer branded with basic customisation options. The Fuse login page will have the standard Username/Password login option for users without SSO accounts as well as a button for SSO users. SSO users will click the button to go to their IDP login page to authenticate.

Currently SSO setup is not self-service so customers will need to liaise with their Customer Success contact to request this. However, the process is straight-forward and is included as part of the standard Fuse implementation for new customers (if required). Existing customers can request that their Fuse is enabled for SSO by contacting their Customer Success contact.

Process

1. Fuse will share our SSO metadata.xml file that provides the necessary URL and certificate information.
2. Customer IT will import this metadata on their IDP to create a Fuse SAML configuration.
3. Once completed they will share their IDP metadata.xml for this configuration with Fuse.
4. Fuse will enable SSO on the customer instance based on the IDP metadata provided.
5. Once complete customers will be invited to login and test.

Fuse can provide setup guides for Microsoft ADFS and Microsoft Azure AD if required.

• SSO can be configured directly to the customer Production environment or to the customer Staging environment first for testing, then moved to the Production environment.
• Fuse can federate against the user’s email address or any other user attribute (such as EmployeeID) as long as this is configured as the Username within Fuse.
• Only one customer SSO configuration is supported per Fuse instance.
• The Fuse metadata.xml will be standard for the region where the customer’s Fuse instance is hosted (EU, US, AU).
• Changes and update requests for customer SSO configurations, such as certificate updates, should be requested via the Fuse support ticketing system.
• Fuse does not currently support Microsoft Azure SCIM user provisioning.

Q: Can we use more than 1 IDP?
No not currently

Q: Can we provision using our SSO?
No not currently

Q: What can the unique identifiers be?
Typically the (NameID) can align with either the Email or Username attribute in Fuse. The Username in Fuse can be any unique identifier such as employeeID.

Q: How do I update my certificates?
Raise a support ticket well in advance of the expiry date with the preferred switch over time and this will be actioned.

Q: Can I test somewhere first?
Typically SSO configurations will be implemented in the customer’s Staging environment first before being switched to their Production environment.

Q: How much does it cost?
SSO licensing is typically included in the initial license costs. If the customer is adding SSO at a later stage and this was not previously accounted for, then this will be reviewed by their Fuse Account Manager.