Enterprise Authentication: Single Sign On
For our enterprise customers, we support Single Sign On (SSO) capabilities. You must have an unlimited license to be able to use Single Sign On with Resimion, and be paying annually or reach an agreement with us if you are paying monthly. There is no additional annual cost for SSO, but it does consume time for us to configure and thus doing it for a customer who pays for a month and then does not use the Resimion platform is something we want to avoid.
Note: We use Amazon Web Services Cognito authentication for our users, with full auditing and device fingerprinting turned on, with the ability to force SMS and/or MFA if you enable the option. Password complexity is also set to very high, at levels beyond those in Office 365/Azure AD. Therefore, Resimion’s default authentication and authorisations models are likely more secure than those universities or other organisations relying on ADFS or Azure AD authentication, so do think carefully before you request that we enable SSO for you. If your university or organisations Office 365 or AD are compromised, then any services your accounts are using for SSO across 3rd parties will also be compromised!
Resimion does not store usernames or passwords itself, and passwords are one-way encrypted by Amazon Web Services. You can find out more about Amazon Web Service security here: https://docs.aws.amazon.com/cognito/latest/developerguide/security.html
Once SSO is enabled, you continue to use Resimion in the normal way, but Resimion will detect that a student or staff email address is subject to Single Sign On based on domain name (i.e. acme-uni.ac.uk). This then kicks off a single sign on workflow, which authenticates the user and allows them to use Resimion. Resimion do not create a user account for this user, instead using just the email address passed over as part of the sign on flow.
You will continue to do the following in Resimion:
- Invite students in the normal way
- Allocate users in the normal way
- View results, scores and otherwise
Users will no longer need to setup an account or verify an email address with the 6-digit code, or provide a password.
We support OpenID, OAuth2 and SAML for authorisation and authentication, and can be very flexible about integration. Note that it is not possible to stop students or learners using personal email addresses to signup for the platform should they wish, but you can restrict who can run your Resims/scenarios when you design and configure them, limiting them to particular domain names or allocations only.
For those using Azure AD, we have an enterprise application which can be authorised and complete the integration quickly.
Setting it up
To set this up, please contact us. We will need to know your identity provider (for example Azure AD, ADFS, Amazon Directory Services, etc) and we can then send you the relevant guide.
To give you an idea of how this is configured for an Azure AD provider, it is as easy as:
- Authorise our Enterprise Application in your Azure AD (this will need a user with Global Administrator rights)
- Making sure all users are configured to be able to sign-in, unless you specifically wish to restrict it
- Testing that the integration has worked.
For any existing users pre-SSO, we will migrate them over to SSO as part of the integration.
Typically it takes about 30 minutes to configure and test the integration, but it will depend on your change control processes.
If you have any questions about this process, please email us at email@example.com.