Enable true multi-tenant Single Sign On

Idea created by 7008735 on May 25, 2016
    Long term plan
    • 7008735
    • 6641654
    • Leah.Ratliff@hamilton-oh.gov
    • 6828508
    • 7488359
    • craig.stockman@samanage.com
    • 7519803
    • Bernard Welmers
    • Doron Gordon

    (Originally posted on 16, April 2015)

    We have been successfully using Samanage SAML SSO with Microsoft Azure for some time now. This means that when one of our users browses to myapps.microsoft.com, they can click the Samanage icon in the App Panel and be automatically signed in to Samanage. Likewise, when they go to houlder.samanage.com, they'll be redirected to Azure to be authenticated, then signed into Samanage. It works great.


    The problem comes when we have a third party (contractor, consultant etc) who does not have an @houlderltd.com address (john.doe@hotmail.com for instance).


    We can create john.doe@hotmail.com as a user in Samanage. He gets an email invitation and clicks on the link to sign in. But he can't, since he doesn't exist in Azure Active Directory. There's no way for him to log in.


    There are two ways around this at present:
    1. Create him as an 'External User' in Azure Active Directory. But this requires him to sign up for a Microsoft account under john.doe@hotmail.com, which he might not be willing or able to do.
    2. Disable Samanage SSO altogether and force all users, internal and external, to sign in directly to Samanage.


    Other SaaS applications allow 'mutli-tenanting' where it will know that all users with email addresses ending @houlderltd.com should go through SSO, and all unknown email addresses should sign directly into the SaaS application using it's own authentication and stored passwords. Zendesk is an example of SaaS software that can do this. It would be good if Samanage could build this feature too.

    What problem will this feature solve?: