Supported third-party identity provider - Microsoft Azure Active Directory (work and school accounts). Protocols: OAuth2, OpenID Connect.
Single Sign-On (SSO) - allows our clients to manage their organisation’s membership via a third-party identity provider.
The main benefits of Single Sign-On:
Reduces password fatigue. Remembering one password instead of many makes users’ lives easier. As a tangential benefit, it gives users greater incentive to come up with strong passwords.
Simplifies username and password management. When changes of personnel take place, SSO reduces both IT effort and opportunities for mistakes. Employees leaving the organization relinquish their login privileges.
Improves identity protection. With SSO, companies can strengthen identity security with techniques such as two-factor authentication (2FA) and multi-factor authentication (MFA).
Strivr Azure Active Directory setup
Strivr application is setup against “Strivr AB” Azure Active Directory in a multi-tenant setup which accepts only work and school accounts of different organisations on Microsoft.
In order to follow through a sign in, Strivr will request for basic personal information of your users via consent screen for the first time. In addition, Strivr also receives a list of groups (contains only unique group IDs, nothing else) a user is a member of in order to follow through the access validation for that specific Microsoft tenant and user.
Clients controlling more than one Strivr organization might need a more granular access control of who can access which organizations from the same Azure AD tenant. Strivr application receives a list of Azure AD group identifiers a user is a member of. Depending on how each organization is setup in Strivr, it can assign each user to only specific organizations according to the groups provided.
In order to make use of this logic the client should create different security groups and assign members within their Azure AD tenant. As a result, provide a list of Strivr organizations mapped with group identifiers to Strivr to set it up.
💡 This logic applies only to a newly created users in Strivr. All the existing ones will keep their organisations as is. Moving existing Strivr users to different groups in Azure AD will have no effect in order to keep referential integrity of the data. If you would like to change your existing users access, please contact Strivr.
Successful authentication via external identity provider will result in a shorter session age. Each sign in establishes a new session for 12 hours. After the session expires, user will be redirected to the sign in screen to repeat the sign in process again. Shorter session age helps to narrow down the time user is able to access Strivr if it is deactivated in the providers directory. Deactivating the user does not affect their already established session.
💡 Considering the nature of session authentication, this is subject to change in the future.
Existing user passwords
An existing Strivr user can also sign in via external identity provider. As a result the user will still be able to use their password as usual and sign in via third-party identity provider. If the client wants to enforce all their users to use a third-party identity provider, you should contact Strivr and we will convert the users accordingly.
Inviting new users
No matter if your organization uses external identity provider or internal users only. Your organization administrators can still invite users via email. The invitee will create their own password and be able to login using their password as usual.
💡 This is the initial implementation of Single Sing-On in Strivr which covers only the sign in. There is no organization management panel which would allow the client to do the configuration for themselves. Any new setup or existing configuration change should be addressed to Strivr.
Tenant IDto Strivr. It can be found in Azure Portal →
Azure Active Directory.
(optional) A more granular access control within your tenant can be achieved using Groups. Strivr can limit organization access only to specific groups of your tenant. In that case provide
Group IDsof those groups.
If you have more than one organization in Strivr, we can apply different
Group IDs to each of them.