Question about a new SSO option

  • 14 April 2018
  • 5 replies
  • 105 views

Userlevel 3
Badge +6
Hey,
 
So I've just found some new options that were published on April 8th I believe. One of hte options is single sign-on which looks really really useful for some of our implementation.
However, we use one user account for all commands sent via Unity. This account has access to ALL our sites. When using the single sign-on option it seems that this is the user account which ends up being used to sign-on. This is not ideal as we have technician accounts who only have access to their own clients, not everything.
I could have each tech create a Unity client id and secret and store that info.
Is ther any other means that this could be achieved?

5 replies

Userlevel 3
Badge +6
Some testing has brought be to a solution.
We needd to maintain the technician's GSM passwords and then generate the token using their username and password.
 
Cheers,
Chris
Userlevel 4
Badge +9
Hi @,
 
You probably have this already, but the basic authentication portion of generating the access / refresh token is not enough to have that user successfully run the SSO request. The username that is used to generate the token must also be an admin of that GSM Console (and site if you are linking there.) Please be sure to also verify that the admin has full control or view only on the parent keycode, otherwise the console will appear empty.
 
Best regards,
Joseph R.
Userlevel 3
Badge +6
Thanks Joseph.
The users in question are all admin users. So I believe this will work within the parameters of what you have indicated.
I have tested it with Postman and it worked as expected, or at least in a way that works for me.
Thanks!
Chris
 
Userlevel 4
Badge +9
Hi Chris,
 
Fantastic to hear, we're really glad you guys are finding that useful. We are always interested in hearing feedback on new functionality so we can develop around the needs of our partners. Feel free to reach out any time a use case pops up, we really appreciate the feedback.
 
Best regards,
Joseph
Userlevel 3
Badge +6
Sure...
I will try to explain how we are going to start using the SSO option if you like, and I will tell you that when I first read the documentaiton for the Single Sign On I was VERY VERY excited.
For reference, we now have 4 GSM consoles and we add new sites to the most recent one, and thus our technicians deal with clients which are on each of the different GSMs. When a tech wants to make a change to a client's GSM site they don't always know which GSM the client is located on. We have named them with a date they were setup, so if we can remember when we set the client up we can go to that GSM. However, we all have better things to fill our heads with.
I had already created way of listing each technicians clients which displays the GSM name and other details. This was the first easy way we could provide to make it easier for them to locate a client's GSM site.
We also have each technician added as a Limited GSM admin on each of their own client's sites.
So, now on that same list we are implementing the Single Sign On option to cut through having to find which GSM the client's site is located on. They can now just click a link, enter their user details for the Webroot GSM and will be brought right into the client's GSM site.
I like that the user can then move out to view their other client sites, or move to another GSM.
The only quirk is that if someone doesn't log out of the GSM and they use another link our listing they are directed to the GSM login screen. I understand why, because they are technically still logged in, and it this logs them out.
But as long as the user logs off the GSM then it is all good.
I'm really impressed with the level of access the Unity API provides and it works really well for us.
Kind Regards,
Chris

Reply