Introduction
Unmind uses Auth0 by Okta to facilitate Single Sign On SSO with the SAML 2.0 protocol.
Auth0 meets and maintains compliance with GDPR, HIPAA and HITECH, CSA STAR, ISO 27001/27018, PCI DSS and SOC2.
User accounts are provisioned with Unmind on a just in time basis over SAML SSO.
Unmind does not support SCIM provisioning, with de-provisioning handled through a separate HRIS connection.
Setup Requirements
Please provide Unmind with the following information:
- The direct contact details of the team/person responsible for managing and configuring connections within your SSO Provider (eg. Okta; OneLogin; Microsoft Azure Active Directory).
- The unique identifier to use - we support the ability to use an email-address or an employee-id as the unique identifier for user accounts (typically this is an email-address).
- If you wish to enable the Identity Provider-initiated IdP flow as part of the SSO setup.
SSO SAML Configuration Process
1. Unmind will provide a SAML metadata file, this will include our:
- SP Entity ID / Audience URI
- X509 verification certificates
- Protocol endpoints Assertion Consumer Service URL
2. Please configure an SSO connection in your SSO provider (eg. Okta / MS Azure), using the provided metadata file.
3. Please ensure the connection is configured to send the following attributes to Unmind, with a name format of “Basic”;
- First Name
- Last Name
- Email Address (if using email as the unique identifier)
- Employee ID (if using employee-id as the unique identifier)
4. Once the SSO connection has been setup, please send your metadata file to Unmind.
5. Unmind will then configure the SSO connection in Unmind’s systems.
6. If you requested IdP flow enabled, Unmind will also provide an updated value for the ‘Single Sign On’ configuration field within your SSO provider, to enable the IdP flow
Testing the SSO Connection
Once configuration has been completed, Unmind will provide a URL from which you can test logging in with Service Provider initiated) SSO.
If you requested IdP flow enabled, we’ll also ask you to test this.
For a successful test:
- New users, once they’ve logged in through SSO, will be asked for consent to receive emails from Unmind and provide some additional demographic information - before being taken to the Unmind “Today” page.
- Existing users, who have already created an Unmind account prior to SSO being enabled, will be taken to the Unmind “Today” page. Note - If using Employee-ID as the unique identifier, employees will be asked to enter their original Unmind password as a security precaution. Employees will only have to do this the first time they login with SSO. Thereafter, employees will be taken straight to the Unmind “Today” page.
In the event of an unsuccessful test, please provide a full screenshot of the page you land on to Unmind to aid with troubleshooting.
Launching SSO
Following successful testing, Unmind will coordinate with you to enable SSO as the primary login method on your Unmind.com subdomain.