Unmind single sign-on SSO is SAML based. When SSO is set up it provides your employees with seamless access to Unmind using the identity provider IdP of your choice. For example: Okta, Microsoft Azure AD, Ping identity, OneLogin etc.
Unmind offers Service Provider SP initiated SSO.
SSO can be configured by Unmind’s technical team for either new or existing clients.
SSO options
When SSO is enabled for your company you have 2 main options for how it is configured:
- SSO only - all employees must use your company SSO login to access Unmind using a web browser or on the mobile app. This is our recommended option.
- Mixed-mode - Each employee can choose whether to use your company SSO or username + password, but they can only use one method. An employee can switch from username + password to SSO, but they cannot switch back.
Just-in-time (JIT) user provisioning
When a new employee accesses Unmind using SSO we will automatically create their account at that point. There is no need to upload a list of eligible users in advance.
Configuring SSO
Technical information Unmind requires from your company to set up an SSO SAML connection:
- The SAML login page URL for your company’s identity provider. For example https://yourcompany.youridentityprovider.com/1234/sso/saml
- An x509 certificate
These can usually be obtained from a URL that your technical team can provide, for
example https://yourcompany.youridentityprovider.com/1234/sso/saml/metadata
Technical information Unmind will provide to your company to set up SSO:
Unmind will set up a SAML connection and provide your technical team with a SAML metadata endpoint. For example: https://auth.unmind.com/samlp/metadata?connection=your_company
This will provide you with key attributes such as
- EntityID
- Authentication signing details
- ACS URL
- Unmind’s x509 certificate
- Logout URL
An image of the Unmind logo with a transparent background. This can be added to your company app portal along with a URL directing employees to the Unmind SSO login page, for example https://yourcompany.unmind.com/sso
SAML response signing
The default is SHA256, but we also support SHA1 if necessary.
Additional SSO set up details
The following user information about an employee must be included in the SAML assertion claim types.
- Required Attribute (aka SAML_Subject, Primary Key, Logon Name, Application username format, etc) - NameID: this is usually the employee’s email address (but could be employee ID if that is your unique identifier.)
Other attributes:
- given_name: user.firstname
- family_name: user.lastName
- email: user.email (if applicable)