Introduction
Encodify offers Single Sign-On (SSO) support for a range of identity providers (IdPs). This section is designed for system and site administrators who want to assist customers in managing their joiners, leavers, and movers (JML) process by integrating Encodify with their IdP.
We support the following types of Authentication methods:
Internal
SAML 2.0
OAuth 2.0
OpenID Connect
Authentication Methods
Internal
Known as 'basic authentication' allows for an account to be created within your Encodify application specifying a username and password to grant access. Each user is manually added the the application with users having access to manually reset their passwords
SAML 2.0
Support for SAML Authentication is scheduled for deprecation. Please refer to OpenID Connect
SAML 2.0 is an XML-based protocol that uses security tokens with assertions to share information about a user between the Identity Provider (a server that handles authentication) and the Service Provider (the client system the user wants to log into for accessing resources). With SAML, a user can access multiple systems using just one account on the identity provider server.
The diagram below illustrates how SAML authorization works.
To let users log in using the SAML protocol, you'll need a dedicated identity provider (IdP) system that's set up to handle Single Sign-On (SSO) authorization. Since different identity providers have their own configurations, you'll need to check the specific documentation for the IdP you plan to use with the Encodify system.
This guide offers a basic step-by-step explanation for setting up two IdPs: Microsoft Azure AD and Microsoft AD FS 2.0 (on-premise).
OpenID Connect
OpenID is an open standard that enables users to log in to multiple websites using a single set of credentials from a trusted provider (like Google or Microsoft). Instead of creating unique usernames and passwords for each site, users authenticate with their chosen OpenID provider, which then verifies their identity to the website.
OAuth 2.0
OAuth2 is an authentication standard that allows clients to have "secure delegated access" to server resources on behalf of a resource owner. It outlines a way for resource owners to grant third-party access to their server resources without needing to share their credentials. Simply put, a user can access the Encodify system without entering Encodify credentials by using their account from an external system. In this scenario, the external system acts as the Authorization server (identity provider), while the Encodify system functions as the Resource server.
Login Page
Login Page with SSO
Each IdP will be connected to an associated Login Page, and the screenshots below highlights three authentication methods: basic authentication via username and password, connection to IdP for Azure AD and a connection to IdP for Google.
Considerations
If your Encodify system doesn't have an IdP set up, users can log in using their username and password through the login form.
Once you add at least one IdP (OpenID, SAML or OAuth2) that matches a specific login URL, the login form will no longer be available on that Login Page. Visiting that Login URL will take you straight to the external provider's login page. If you don't have a profile there, you won't be able to access Encodify anymore.
We recommend always having an alternative Login URL without an IdP assigned (or just using an Internal IdP) so you can still access Encodify and make changes if something goes wrong.