Single Sign-On (SSO) in Buddy
Enabling SSO in a Buddy workspace allows its members to use their SSO provider's identities to sign in to Buddy. The SSO authentication can also be used by new users when creating brand new accounts.
Signing in & registration with SSO
Every workspace with SSO enabled has a dedicated page for signing in and registering new workspace members with the identity provider:
https://app.buddy.works/WORKSPACE_URL_HANDLE/sso
Image loading...
Disconnecting Buddy account and SSO provider
You can remove the SSO provider-user account pairing at any time. This way, you can help users who created new accounts instead of signing in to their existing ones with the SSO link and authenticating in their identity provider. Alternatively, you can remove this user's account to force them to create a new one.
To disconnect a user from the SSO provider, go to the People tab, find the member you want to disconnect, and select this option from the context menu:
Image loading...
Adjusting SSO configuration / disabling SSO
To reconfigure or disable the SSO, you must first disable it in the workspace. To do that, click the Disable SSO button. Disabling SSO disconnects all users from their identity provider. This means that all users will have to re-identify with the identity provider the next time they sign in to the Buddy workspace.
Image loading...
SSO and two-factor authentication (2FA)
To access SSO-enabled workspaces, users with active 2FA must authenticate in their identity provider and sign in with their 2FA-secured Buddy account.
The sign-in process follows this flow:
- The user authenticates in the workspace SSO provider.
- Upon successful authentication, the user is redirected to the Buddy sign-in screen.
- The user signs in using their Buddy account.
- The user confirms their identity with their selected 2FA authentication method: SMS or an app such as Google Authenticator.
This flow is valid for every workspace with SSO enabled, regardless of the provider.
SSO and users with multiple workspaces
Users who belong to multiple workspaces must provide their username and password as the second step of sign-in upon authenticating with the SSO. This is required to mitigate the risk of unwanted access to user's private workspaces by the SSO supervisor, and concerns only the workspaces where SSO is obligatory.
The sign-in process follows this flow:
- The user authenticates in the workspace SSO provider.
- Upon successful authentication, the user is redirected to the Buddy sign-in screen.
- The user signs in using their Buddy account.
Authentication and sessions
When users want to access resources in an SSO-enabled workspace, Buddy redirects them to the workspace's SSO provider to authenticate. After successful authentication, users are redirected back to Buddy, where they can access the requested resources.
The duration of an SSO session is 24 hours. After that time, users must re-identify themselves in the identity provider to continue.
The session timer starts whenever a user authenticates with the workspace's SSO provider in their browser. This means that the request to re-authenticate is not directly tied to the user signing in to Buddy, but rather to the user signing in to the workspace's SSO provider.
Last modified on Sep 23, 2024