Fuse fully supports SAML 2.0 Single Sign On (SSO) which enables customers to use their standard company login credentials to authenticate to Fuse. This is supported across both the Fuse web app and Fuse mobile apps.
Fuse SSO is typically configured as part of the Fuse implementation process for new customers. However, existing customers can also request that their Fuse is enabled for SSO via their Customer Success contact.
Customers are required to have the necessary SAML SSO and Identity Provider (IDP) infrastructure in place. Fuse will be configured as a Service Provider (SP) application.
Support for SAML (Security Assertion Markup Language) ensures compatibility with all the common SSO Identity Providers including; Microsoft ADFS, Microsoft Azure AD, Google IdP, Okta, Ping Federate, OneLogin and ForgeRock.
For further information on SAML please visit: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html
Fuse supports both the standard SAML login flows; SP-Initiated and IDP-Initiated as standard.
Users go to their Fuse instance URL which redirects them to their IDP login page. After successfully entering their standard login credentials they are automatically redirected back to their Fuse landing page. This flow is the standard SSO flow for web access and Fuse mobile apps.
Users that are on-premise (or logged in via VPN) and typically already authenticated to their company network. Customers can configure a special custom link for Fuse (often in the form of a published application icon) that transparently logs them into Fuse. Note that this flow is less common so not all customer SSO implementations are configured to support IDP-initiated SSO.
Customers can use their own MFA solutions with Fuse as long as these are used in conjunction with their SSO implementation. MFA will add an additional step where the user will be prompted for a pin code (for example) before they are then redirected into Fuse.
As standard, if a user clicks the Logout option in Fuse they will be logged out of the Fuse application. In some cases customers may also want to enable full Single Logout (SLO) support. SLO is part of the SAML specification and will tear down the user’s session on the IDP as well as log them out of Fuse. However, it should be stressed that once enabled, if a user logs out of Fuse they will also be automatically logged out of all their open web applications where SLO is enabled. This functionality is part of the SAML SLO specification.
For customers with both internal users with SSO accounts and external users who do not have SSO accounts, Fuse can support separate login options. Users access Fuse via a custom login page. This page will be customer branded with basic customisation options. The Fuse login page will have the standard Username/Password login option for users without SSO accounts as well as a button for SSO users. SSO users will click the button to go to their IDP login page to authenticate.
Currently SSO setup is not self-service so customers will need to liaise with their Customer Success contact to request this. However, the process is straight-forward and is included as part of the standard Fuse implementation for new customers (if required). Existing customers can request that their Fuse is enabled for SSO by contacting their Customer Success contact.
Fuse can provide setup guides for Microsoft ADFS and Microsoft Azure AD if required.