SSO Information for iMIS Staff
CSI's cloud-based SSO app enables your members to seamlessly sign in to third party websites without the need for sync jobs, custom authentication/SSO solutions, or worse, sharing a username/password list. You control the third party sites that your members are allowed to sign in to, and there is no limit to the number of connected third party applications you can have with your subscription.
How does it work?
CSI hosts an SSO relay server in our cloud platform. The only setup step that is required by you (if you already have a Cloud ID) is a DNS entry pointing "sso.example.org" to our SSO relay server. Once completed, users will be directed to "https://sso.example.org" to sign in, which allows us to host and manage the sign-in app for you, while users still see your trusted "example.org" base site.
And since the domain matches the iMIS domain, users who are already signed in to your iMIS system (via a RiSE-based members site or a direct SSO link such as Kentico) are automatically signed in to the Cloud SSO app. No password re-entry is required.
Additionally, users who use the Cloud SSO app and successfully sign in are also signed in to any iMIS-based RiSE or direct SSO websites as well. It works both ways!
Typical Sign-on Scenarios
A member who has already used the Cloud SSO at least once, and is already signed in via a RiSE member site or similar direct SSO will not see any sign-on or consent screen. They will be taken from your members site immediately to the third party, and be signed in with an updated profile.
Each member who is using the Cloud SSO for the first time, and is already signed in via a RiSE member site or similar direct SSO will see a consent screen. They must click "Allow", and then will be taken to the third party, and be signed in. This is a one-time consent, governed by the Reauthorization Grace Period setting on the general settings screen.
Members who are not signed in to an existing RiSE / direct SSO website will be prompted to sign in (using their iMIS credentials), and then will follow the consent logic above (first time users are prompted for consent, subsequent sign-ons are not).
If set up correctly, most of the time, users will not need to interact with the Cloud SSO app at all - it will work seamlessly in the background, providing single sign-on information to the connected third parties.
How can I customize the SSO app?
We offer a number of options to customize the SSO experience for your members:
- Brandable sign-in page
- Custom logo
- Custom background, foreground, text, and button colors to exactly match your branding
- Options to include "Create Account" and "Forgot Password" links on the sign-in page
- Customizable consent grace period (time between which users do not have to click "Accept" or "Authorize" to gain access to the third party app)