Overview of Single Sign-on
To support customers with centralized user management requirements, single sign-on (SSO) can be enabled for your Grayscale account. Once enabled and configured, access to Grayscale will be controlled by your identity provider, and all users in your account will be required to use SSO when logging in.
Grayscale can be configured to work with any identity provider that supports both the SAML 2.0 standard (for user authentication) and the SCIM 2.0 standard (for user provisioning).
To support the large number of Grayscale customers using Okta as their identity provider, Grayscale has published a pre-built app to the Okta Integration Network.
Your Grayscale Customer Success Manager will coordinate enabling and configuring SSO, but your IT team will need to be involved in the process; specifically, the team responsible for administering your identity management system.
Implementation Considerations
Enabling SSO in Grayscale is a simple and straightforward process, but there are a few things to know before implementing:
Your identity management system must be able to supply the following user attributes to Grayscale:
First name
Last name
Email address
Phone number (optional, but recommended)
By default, users will be able to enter and edit their own phone numbers (used for Call Forwarding). If you want to provide the numbers through the identity management system instead, you can let us know at any time.
All users will be required to use SSO when logging into Grayscale. It’s not possible to make exceptions for any subset of users.
The default session timeout is 30 minutes, but can be increased to 1, 2, 4, or 8 hours.
Users will no longer be created, updated, or disabled in Grayscale; instead, these actions need to happen in your identity management system.
Password resets will no longer be triggered from Grayscale; instead, passwords will need to be reset in your identity management system.
Profile pictures will still be set and updated exclusively in Grayscale.
All new users will receive the ‘Users’ role by default. Users can be assigned the admin role inside of Grayscale.
Users will not be able to use Grayscale's iOS and Android apps. SSO support for these apps is still in development. In the meantime, users who require mobile access can log into Grayscale on their phone's web browser.
For more on User Management, check out this article.
SSO Enablement Process
Enabling SSO in your Grayscale account requires involvement by three people:
Your Grayscale Customer Success Manager.
Your Grayscale administrator.
An administrator of your identity management system (Okta, Azure AD, JumpCloud, etc.).
We’ve found it’s easiest to get all three people on a call and enable SSO on both sides simultaneously. Once enabled, SSO is required for all users, so enabling simultaneously on a call helps minimize downtime for your users. Once you’re ready to enable SSO, reach out to your Grayscale Customer Success Manager who will help you coordinate a call.
Questions? Chat with us below!