Learn about the technical processes behind our single sign-on feature.
Our single sign-on feature uses a standard called Open ID Connect. When a user logs in with SSO, we initiate an Open ID handshake with the user's identity provider (IdP). Once the IdP authenticates the user, they're redirected back to Engagement Cloud. From there, we check the details all match and then give them access to their data.
To learn more about OpenID, check out the OpenID connect website.
Looking to set up SSO?
This article focuses on the technical process behind our SSO feature. To learn to set up SSO, check out our article Set up Single Sign-On (SSO) for your account.
Understanding single sign-on
The SSO login process is a six-step procedure:
- The user enters their email into the Engagement Cloud login form.
- We recognise the user's account as SSO enabled and redirect them to their IdP.
- The user is directed to their identity service provider (IdP) and prompted to sign in.
At this point, we also request the following user details from the IdP:
- After successfully signing in, the IdP sends the user's details to us.
- When we receive the user's details, we validate them using OAuth tokens.
We validate that the user logging in is the same as the one we received details for. To do this, we look at the information provided the IdP –user information, ID token– and then match the email address against one of the following:
- emails (we split this into a comma-delimited list and check all of them)
- After validating the SSO user, we start the session and direct them to their Engagement Cloud account dashboard.