This article covers the most frequently asked questions about single sign-on and multi-factor authentication:
Single-sign on (SSO) allows users to securely access their apps through their organization’s identity provider (IdP), like Azure AD, Okta, or Google. With SSO, users don’t have to remember separate usernames and passwords for each app they use. They only need to log in once using their IdP credentials.
SSO can help improve security and compliance by centrally managing logins and authentication across your organization. It also streamlines user logins and reduces login fatigue.
Fiix supports SSO. Once SSO for Fiix is set up, all users can log in to Fiix indirectly using their IdP credentials.
An Identity Provider (IdP) is a service that stores and manages user identities in your organization. IdPs check for authentication factors like an email address, password, or a repeatedly-used device to ensure a user is who they say they are.
In an enterprise context, IdPs help IT teams manage many users at once and improve their organization’s information security. Fiix supports integration with many IdPs through single-sign on (SSO).
Fiix does not natively support Multi-Factor Authentication (MFA), but MFA can be set up indirectly using single-sign on (SSO). With SSO, your users’ Fiix logins are rerouted through your IdP, like Google or Okta, allowing for MFA.
To enable MFA:
-
Your organization’s Identity Provider (IdP) must allow MFA.
-
Fiix’s SSO integration must support your type of IdP.
For more information about setting up SSO for MFA, see Set up single sign-on (SSO) or contact our support team.
Fiix supports SAML2.0 and OpenID Connect protocols for SSO. This means IdPs like Okta, Azure Active Directory (AD), and Google are all supported. Organizations with on-premise IdPs can also use SSO, and setup is arranged on a case-by-case basis. To find out whether Fiix supports your IdP, contact our support team.
SSO is available on Enterprise plans only. SSO works with both new and pre-existing Fiix tenants, as long as SSO has not already been set up.
Fiix works directly with your IT team or administrator to set up SSO. Your IT team needs an existing and compatible IdP, and to be able to share certificates and IdP information with Fiix .
Switching to SSO is permanent, and tenants with SSO enabled cannot be reverted back. SSO-enabled tenants also cannot be duplicated (cloned).
Does it cost anything to set up SSO?
Yes. There's a one-time setup fee and a yearly platform fee for SSO.
SSO setup takes approximately 24-48 hours once your organization and the implementation team have shared certificates and IdP information. There is a one-time fee for setting up SSO. To learn more, contact our support team.
What information does Fiix's Integration Team need to begin setting up SSO?
The integration discovery process includes sharing your organization's information with Fiix's Integration Team. We can also assist you in gathering this information. You will have to provide answers to the following questions:
- Who is your Identity Provider (IdP) for User Authentication and Authorization?
- What is the deployment type for your IdP - cloud, on-premise or hybrid?
- If your IdP deployment type is hybrid/on-premise, is your IdP is publicly accessible to a web application such as Fiix?
- Our SSO implementation is based on SAML v2.0 and OpenID Connect (OIDC). Does this match your SSO implementation?
- Will all your employees who are Fiix Users be SSO enabled?
- Do you have contractors or a temporary workforce who will need access to Fiix but are not SSO enabled?
- With your current SSO implementation for enterprise apps, how do you manage the admin user workflows? Is that user SSO enabled?
- Do you have a Mobile SSO implementation driven by a VPN?
- Do you have a Mobile Device Management based solution for the enterprise apps provisioned to the users?
- The logout from Fiix app signs out the user from Fiix App only. Do you have an expectation that the user should be logged out from the IdP as well?
Can we revert back to non-SSO after it's been set up?
Once a Fiix tenant has been set up with SSO, it can no longer be reverted back to a non-SSO tenant.
Tenants with SSO also cannot be duplicated (cloned).
Once SSO is set up, users will no longer be able to log in or out using Fiix’s login portal. All user logins will go through your organization’s IdP. Fiix tenants can’t support both SSO and native logins at the same time.
Guest users will still be able to access the work request portal as normal.
If you have an SSO-enabled Fiix tenant, we’ll need to reconfigure it for a new IdP. Our Integration team will walk you through the process of reconfiguring your SSO.
To reconfigure your SSO-enabled tenant for a new IdP:
-
Set up a discovery call with your Fiix application consultant.
-
Our teams work together on configuration.
-
We finalize and test your tenant to ensure everything is working smoothly.