Single Sign-On
Kestutis Vansavicius avatar
Written by Kestutis Vansavicius
Updated over a week ago

Supported third-party identity provider - Microsoft Azure Active Directory (work and school accounts). Protocols: OAuth2, OpenID Connect.

Single Sign-On (SSO) - allows our clients to manage their organisation’s membership via a third-party identity provider.


The main benefits of Single Sign-On:

  • Reduces password fatigue. Remembering one password instead of many makes users’ lives easier. As a tangential benefit, it gives users greater incentive to come up with strong passwords.

  • Simplifies username and password management. When changes of personnel take place, SSO reduces both IT effort and opportunities for mistakes. Employees leaving the organization relinquish their login privileges.

  • Improves identity protection. With SSO, companies can strengthen identity security with techniques such as two-factor authentication (2FA) and multi-factor authentication (MFA).


Daymi Azure Active Directory setup

Daymi application is setup against “Daymi AB” Azure Active Directory in a multi-tenant setup which accepts only work and school accounts of different organisations on Microsoft.

In order to follow through a sign in, Daymi will request for basic personal information of your users via consent screen for the first time. In addition, Daymialso receives a list of groups (contains only unique group IDs, nothing else) a user is a member of in order to follow through the access validation for that specific Microsoft tenant and user.

Groups (optional)

Clients controlling more than one Daymi organization might need a more granular access control of who can access which organizations from the same Azure AD tenant. Daymi application receives a list of Azure AD group identifiers a user is a member of. Depending on how each organization is setup in Daymi, it can assign each user to only specific organizations according to the groups provided.

In order to make use of this logic the client should create different security groups and assign members within their Azure AD tenant. As a result, provide a list of Daymi organizations mapped with group identifiers to Daymi to set it up.

💡 This logic applies only to a newly created users in Daymi. All the existing ones will keep their organisations as is. Moving existing Daymi users to different groups in Azure AD will have no effect in order to keep referential integrity of the data. If you would like to change your existing users access, please contact Daymi.

Session age

Successful authentication via external identity provider will result in a shorter session age. Each sign in establishes a new session for 12 hours. After the session expires, user will be redirected to the sign in screen to repeat the sign in process again. Shorter session age helps to narrow down the time user is able to access Daymi if it is deactivated in the providers directory. Deactivating the user does not affect their already established session.

💡 Considering the nature of session authentication, this is subject to change in the future.

Existing user passwords

An existing Daymi user can also sign in via external identity provider. As a result the user will still be able to use their password as usual and sign in via third-party identity provider. If the client wants to enforce all their users to use a third-party identity provider, you should contact Daymi and we will convert the users accordingly.

Inviting new users

No matter if your organization uses external identity provider or internal users only. Your organization administrators can still invite users via email. The invitee will create their own password and be able to login using their password as usual.

Get started

💡 This is the initial implementation of Single Sing-On in Daymi which covers only the sign in. There is no organization management panel which would allow the client to do the configuration for themselves. Any new setup or existing configuration change should be addressed to Daymi.

  1. Provide your Tenant ID to Daymi. It can be found in Azure PortalAzure Active Directory.

  2. (optional) A more granular access control within your tenant can be achieved using Groups. Daymi can limit organization access only to specific groups of your tenant. In that case provide Group IDs of those groups.

If you have more than one organization in Daymi, we can apply different Group IDs to each of them.

Did this answer your question?