SSO Question

[Osman]

Morning All,

I am reasonably certain that this has been asked for before, I just can't find it in the community. When we access our SSO url, in a browser that has an active, signed in session, we are always presented with the Single Sign-On/Direct Login options. Is there any way to adjust this so that the system detects the signed in status of the browser and immediately provides access? This is more of an issue for Basic users accessing the portal. 

Thanks

Osman

[Gerry]

@Osman

You can disable this option in your CSS profile, which will then not ask you to authenticate if you are already authenticated on your IDP

Gerry

[Osman]

Thanks Gerry,

Unfortunately, it is already off:

 

[Gerry]

@Osman

Ahh sorry, I had misread your original post. You are asking if you can simply bypass the login page all together. This was discussed extensively on the forums when this was first implemented, the short answer is no, there is no way to bypass that login page.  This is precisely because there is more than one option, and, should you need to login with a different method, you need a way of getting to those.  What we have implemented now is the best compromise to meet all of the various login/authentication requirements. 

Gerry 

[Osman]

Hi Gerry,

I am not sure that I would say bypass it altogether, I am thinking more that we would have either:

- A url that uses SSO without choice of direct login that we would be able to publish internally;

- The sign in page has a detection method that can see that the browser is signed in with a valid SSO account and sign straight in without displaying the options. We have other SAAS systems that are capable of doing this, our room booking system for example.

Thanks

Osman

[Gerry]

@Osman

I got what you are asking for.  The problem is, we are having to cater for a large number of scenarios, there are various ways of logging into the system, SSO is one, SSO with more than on iDP is another, there is passport, direct login, support passcode login etc.   We do not detect if there is already a login, thats not possible because the cookie(s) that exist are rotted to a different domain.  In order to just pass thourgh, what we have to do is intiate the SSO cycle, which involves redirecting to the IDP and the IDP then redirects the browser back to our server.  Catching all the variations of things that can go wrong here is complicated.   When implementing these sorts of things we have to do things that work for everyone, and so the design decision was taking to first have a landing page, so we have a way of presenting the choices needed.  I acknowledge its technically possible to just do SSO directly, but because our login/landing page for logging into Hornbill has to cater for both users of the system as well as basic users (your end users) of the system, when we have now works for all cases.  

The special URL suggestion "may" be possible, but, then we would place certain handcuffs on ourselves for features we may want to add in the future, so at this time, this is not something we will be adding to the product. 

Gerry