Overview of inbound SSO
When Limeade acts as a Service Provider (SP), SSO is used so that users can access the Limeade platform using their Identity Provider's (IdP) credentials. This is regularly done to easily access the platform using a company’s credentials and prevent the need for users to have yet another username/password to remember and configure.
Limeade also allows “Dual-Login”, where users can sign in with either a Limeade username/password or with their SSO credentials. If a customer requests dual login, we can provide a sign-in link button on the Limeade log-in page to direct to the IdP for authentication.
Limeade utilizes SSO exclusively with SAML 2.0 for customers who have not yet upgraded to Limeade ONE. Limeade encrypts SAML assertions and will provide our public key/certificate.
Inbound SSO setup process
Once a request has been made to setup inbound SSO, the following actions are taken:
- Legal documents – any outstanding legal requirements must be complete prior to beginning inbound SSO work
- Questionnaire – Customer or vendor fills out an inbound SSO questionnaire
- Finalize scoping – based on responses in the questionnaire, Limeade Data Operations will work with the customer and/or vendor to gather any missing information and provide guidance for those unfamiliar with SSO or SAML
- Swap metadata – both parties swap SAML metadata and X.509 certificates
- Configuration – both parties configure the SAML integration on their end and confirm when completed
- Gather test users – the IdP supplies Limeade with information for ~3 test users to load into the Limeade platform
- Testing – The test users attempt accessing Limeade via SSO using the test users accounts and troubleshoot any issues
- Implementation to Production
The process can take anywhere from 6-8 weeks.
Inbound SSO Assertion
Limeade Inbound SSO requires the following SAML assertion claims:
- EmployerName: This is a hard-coded value that matches the internal EmployerName field in the Limeade platform, used to associate the user with the correct Site in the platform.
- Unique Identifier: We require a unique identifier for the user that matches a unique identifier for the user between both platforms. This is usually EmployeeID, though we can also link with SSN if it is available on both platforms.
- AutoProvision: For our users, eligibility to the platform is controlled via an Eligibility File integration. Therefore we require this SAML claim with a value of 0 to prevent an attempt to create a user if they are successfully authenticated by the IdP but do not have an account in Limeade.