Skip to main content
Skip table of contents

Cloud SSO Frequently Asked Questions

What is OpenID Connect?

OpenID Connect is a compatible layer on top of OAuth2. Most systems that support OAuth2 can support OpenID Connect with minimal changes.

Of note, OpenID Connect defines a /userinfo endpoint which facilitates the transfer of user profile information in a standardized way.

OpenID Connect and OpenID Authentication 1.0/2.0 are not the same. The former is the newer specification built on top of OAuth 2, and the latter is a much older, unsupported version of "OpenID" with a different protocol / specification.

Where can I find my OpenID Connect Discovery Document?

Your OpenID Connect Discovery document is always located at https://<Your-SSO-Domain>/.well-known/openid-configuration

Your SSO domain is the domain which you created a DNS CNAME record for during your Cloud SSO onboarding.

What is an Identity Mode / Setting?

The Cloud SSO requires a connection to iMIS in order to know who is signed in. Currently, the Cloud SSO supports two distinct iMIS identity modes:

iMIS Cloud

In this mode, you configure a RiSE Client Application that the Cloud SSO uses to determine the currently signed in user.

This mode is compatible with iMIS 2017, iMIS Cloud Professional (200), iMIS Cloud Enterprise (20.3), and iMIS 20.4.

On-Premise / Forms Authentication

In this mode, the base domain that the Cloud SSO and iMIS run on must be the same (e.g. *.example.org). You configure your Forms Authentication and Machine Key settings within the Cloud SSO app, which allows the Cloud SSO app to read and write which user is currently signed in.

This mode is only compatible with iMIS 2017.

Can I use the iMIS "On Behalf Of" feature alongside the Cloud SSO?

No. The "On Behalf Of" feature does not work with the Cloud SSO. Even if you impersonate someone in iMIS using the On Behalf Of feature, when you use the Cloud SSO, it will send the original user's information to the third party (as opposed to the "on behalf of" user).

This limitation is due to the way that the iMIS REST API and the built-in SSO iPart currently behave.

Does the Cloud SSO support single sign out / single logout?

Due to limitations with the iMIS API, single logout is not supported at this time.

Note that legacy customers who are on iMIS 2017 and are using the legacy Forms Authentication identity mode can use single logout, but this functionality is deprecated and will not work when switching to iMIS EMS (RiSE Client Application) identity mode.

What is the Reauthorization Grace Period setting?

The OAuth2 protocol dictates that the first time a user signs in to a particular third party application, the user must be shown a consent screen that tells the user what information of theirs is being sent to the third party.

The Reauthorization Grace Period is the period of time for which the user's consent decision is remembered (after which, the user will need to re-consent).

The minimum value is 2 months. The maximum value is 120 months (10 years).

Please refer to What is Admin Consent? for additional information.

Can the Reauthorization Grace Period be different per integration?

No, the Reauthorization Grace Period setting is system-wide.

What is Admin Consent?

The OAuth2 protocol dictates that the first time a user signs in to a particular third party application, the user must be shown a consent screen that tells the user what information of theirs is being sent to the third party.

For some internal integrations, it may be preferable to have an administrator automatically grant consent on behalf of all users in your organization.

To grant admin consent, click the "Edit" button next to an integration, and click the green "Grant Admin Consent" button at the top of the page.

Granting admin consent means that users will not see the "Allow / Deny" consent screen when signing in to this app for the first time. Granting admin consent also means that the Reauthorization Grace Period setting is ignored.

Can I revoke or reverse Admin Consent?

No. Once Admin Consent has been granted, it cannot be reversed.

If Admin Consent must be revoked, you will need to delete and then create a new, separate app connection, which will also mean updating the Client ID and Client Secret within the destination app.

Do the Create Account and Forgot Password links work with UAM?

Yes. You can use the Create Account and Forgot Password fields to link to the pages on your website where UAM is installed.

Can I use iMIS Cloud and Forms Auth at the same time?

No. These settings are mutually exclusive. Either iMIS Cloud / RiSE Client Application mode, or On-Premise / Forms Authentication mode must be used.

Which iMIS integration methods are supported in iMIS EMS?

The "iMIS Cloud" identity mode is compatible with iMIS 20.3.

Can I use the RiSE sign in page instead of the custom / branded one?

Yes. In order to use your existing RiSE sign in page, you must configure the Cloud SSO product to use iMIS Cloud identity settings.

On-premise / Forms Authentication mode is not supported with a RiSE sign in page.

Can I use Cloud SSO branding or custom Create Account / Forgot Password links with the RiSE sign-in page?

No. The Create Account, Forgot Password, and custom branding settings are not used if the iMIS Cloud identity mode / RiSE sign in page is used. These settings only apply to On-premise / Forms Authentication identity mode.

To use custom branding, you must customize the RiSE login page, or create a new RiSE login page that is specifically used for the Cloud SSO.

To facilitate app-specific customizations, the ClientId is passed as a querystring parameter to the RiSE login page. This allows you to check the ClientId using Javascript and only show certain elements for certain SSO connections.

What happens if the user tries to go directly to the third party website or app?

If the user is not already signed in to iMIS / RiSE, the user will be prompted to sign in, and will then be immediately taken back to the third party.

If the user is already signed in, the user will be automatically signed in and taken back to the third party. This process is invisible to the user.

Can I disable a single client application / connection individually?

No, currently the only way to disable a single connection is to delete and recreate it. You'll be issued a new Client ID and Client Secret, and you'll have to set up the connection again with the third party.

Can I disable the entire SSO site (maintenance mode)?

Yes. On the System Settings page, there is a Maintenance Mode switch that you can enable which will cease all SSO connections and display a maintenance message to any users that attempt to use the SSO.

If a user tries to access a specific page, will they be returned to that page?

This depends on the OpenID Connect implementation at the third party. It is their responsibility to implement this functionality. A number of options exist for making this work, including encoding the "Return To" path in the state parameter, or storing the "Return To" path in a cookie or session variable.

What profile data is sent over?

All profile data that is sent over is fully customizable by the customer, and is driven by an IQA. Whichever fields are exposed in the IQA are sent to the third party via the /userinfo endpoint.

The only data that is required to be sent to the third party application is the iMIS username, which depending on the customer's implementation may also be the user's primary email address.

Can I change the profile IQA that is used for each app / integration?

Yes. The profile IQA which drives the user's profile information that is sent to the third party is customizable on a per-integration basis. So the profile data that you send to your LMS vendor can be different from the profile data you send to your event vendor.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.