FAQ: Single Sign-On - Frequently Asked Questions

When deploying SSO in ReadyWorks, consider the following security considerations:

1. HTTPS Requirement: SSO integration requires HTTPS to be enabled. Most identity providers will not accept traffic from non-HTTPS sources.
2. Federation Metadata: Obtain the Federation metadata XML file from your identity provider (IDP). This file contains crucial information for establishing the SSO connection.
3. Group Mappings: Carefully configure group mappings between your IDP and ReadyWorks security groups. This ensures users are assigned the correct permissions when they log in via SSO.
4. Least Privilege: Use the most restrictive security model. If a user belongs to multiple groups, the most restrictive permissions will take precedence.
5. Regular Review: Periodically review and update group mappings, especially when new security groups are created in ReadyWorks.
6. SSO Provider Selection: Choose a compatible SSO provider. ReadyWorks supports various providers like Okta, Azure AD, and generic SAML connections.
7. User Account Management: Understand that SSO creates underlying user accounts in ReadyWorks. These accounts are flagged as SSO users and don't store passwords locally.
8. Session Timeout: Configure appropriate session timeout settings to balance security and user experience.
9. Functional Groups: Use functional groups for workflow assignments without affecting security permissions.
10. SSL Certificates: Ensure proper SSL certificate management for the ReadyWorks server to maintain a secure SSO connection.
11. IDP Configuration: Work closely with your IDP team to ensure correct configuration on their end, including proper role-based provisioning.

Remember, your SSO implementation within ReadyWorks should be thoroughly tested in a non-production environment before deploying to production to ensure all security measures are working as expected. Understand that configurations for test environments will change once moving to a production SSO implementation.