Support for multiple IdPs

Condeco can be configured to seamlessly integrate with multiple identity providers to authenticate your users.

The user experience

The user experience when multiple IdPs are implemented is very similar to a single IdP implementation and just includes one additional step. Before proceeding through the usual authentication process, the user must enter their full email address:

Once the full email address is entered and authenticated, the user is directed to the usual login page for the domain (as per email address) where they sign in to Condeco.

SAML user flow

The following is the authentication flow for SAML when a user launches Condeco or enters the Condeco URL:

  1. The request is redirected to the Condeco SSO endpoint URL through the startSAML.aspx page.
  2. Once received, the request is checked for the ‘PartnerIdpId’ parameter.
    1. If the ‘PartnerIdpId’ parameter does not exist, the policy is skipped and the next available policy applied.
    2. If the policy is matched with the configured ‘PartnerIdpId’ result value, the user is redirected to a sign-on page (Identifier First Adapter HTML page) to enter their email address.

The policy validator validates the domain from the entered email address and redirects the user to the configured IdP connections.

OAuth user flow

The following is the authentication flow for OAuth when a user launches Condeco or enters the Condeco URL:

  1. The request is redirected to the Condeco SSO endpoint URL through the startSAML.aspx page.
  2. Once received, the request is checked for the ‘Client_ID’ parameter.
    1. If the ‘Client_ID’ parameter does not exist, the policy is skipped and the next available policy applied.
    2. If the policy is matched with the configured ‘Client_ID’ result value, the user is redirected to a sign-on page (Identifier First Adapter HTML page) to enter their email address.

The policy validator validates the domain from the entered email address and redirects the user to the configured IdP connections.

Language support

If the language is supported, the login page is automatically translated to the language of the browser. The following languages are supported:

  • English (UK)
  • English (US)
  • French
  • German
  • Italian
  • Portuguese (BR)
  • Spanish

Limitations

We do not recommend integrating Condeco with your multiple IdPs if you are using the Condeco Outlook Com+ plug-in with SSO.

When integrating with multiple IdPs the new registration form only pre-populates the username. The additional fields must be entered manually.

How to request support for your multiple IdPs

Condeco does not support multiple identity providers (IdPs) by default. Follow the steps to enable the service,

  1. For each Active Directory, provide the following to your Condeco representative:
    1. Domain name.
    2. Meta-data file (for each domain). Metadata is an XML document containing information necessary for interaction with identity or service providers (e.g. URLs of endpoints, information about supported bindings, identifiers and public keys, etc.).
  2. Once received, Condeco provides an assertion consumer service URL & Entity ID.
  3. Register Condeco on each Active Directory.

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Please do not use this for support questions.
Condeco Support

Post Comment