Overview

Single sign-on (SSO) is a user authentication method that allows a user to access multiple applications using a single set of login credentials (such as a username and password). This allows you to log in to the Clozd platform using credentials from a supported third-party provider.

In a basic web SSO service, an agent module on the application server retrieves the specific authentication credentials for an individual user from a dedicated SSO policy server, while authenticating the user against a user repository, such as a Lightweight Directory Access Protocol (LDAP) directory. The service authenticates the end user for all the applications the user has been given rights to and eliminates future password prompts for individual applications during the same session.

If you are interested in setting up SSO for your Clozd account, reach out to your account representative or Clozd Support. We support Google, Okta, and SAML configurations. This article contains the following sections: 

• Subdomain
• Managing Users
• Configuration

Subdomain

In all cases, a subdomain will be assigned to your account (typically your company’s name) that you will use to log in and access the Clozd Platform going forward. For example, if the organization Meridian used Google SSO, they would have to navigate to 'meridian.app.clozd.com' to access the Clozd Platform and would be directed to Google's sign-in page. Once logged in, they would be redirected back to the Clozd Platform.

You would not be able to get into the Platform by going to 'app.clozd.com' and clicking "Login with Google". This is enforced to ensure a level of security for the account and to enforce that only approved users can log in.

Managing Users

Managing users works slightly differently for organizations that have SSO enabled. After SSO has been enabled, you are no longer able to add or remove users directly in the Clozd platform. User management must be handled by your IT team through user management groups in your identity provider.

User Creation

After SSO has been enabled, users must be created and managed within your identity provider. Once a user is added to the appropriate user group, they can log in to the Clozd platform using your client-specific URL (e.g., client.app.clozd.com). Clozd uses just-in-time provisioning, meaning an account is automatically created for the user upon their first login.

Removing a user from your identity provider (IdP) prevents them from logging in, but does not remove them from Clozd. User roles, notifications, and user cleanup must be managed directly within the Clozd platform.

Users created will be given very basic-level privileges and basic notifications. Enabling notifications can be done from the Users section after the user has been automatically created. Users can also update their individual notification preferences from the user profile dropdown in the top right corner of the app (For further instruction, see Account Settings). Creating a user automatically happens when the user logs in via their account login page. If they are authenticated by the SSO method determined and the user does not exist in the database, the user will be automatically created and given base-level permissions.

Denying User Access

If an account admin no longer wants a user to have access to Clozd, there are two ways to remove access. If SSO is enabled, access should be revoked through the organization’s identity provider. For example, when using Google, the admin can disable the user’s Google account. If SSO is not enabled, the admin can disable the user directly in the Users section of the Clozd platform.

Note: A user that has been deleted will not be denied access to the Clozd Platform, they can log in and will be recreated. Only disabling a user will prevent them from having access to Clozd.

Configuration

Clozd currently offers two native integrations for single sign-on (SSO) authentication: Google and Okta. All other identity providers are supported through SAML, which is the standard method for SSO integrations. Work with your Clozd Program Manager or Clozd Support to configure the option your organization uses.

Google

If your company uses Google SSO, the only thing you need to do is provide your organization’s email domain to support@clozd.com and we’ll take it from there. The email domain is used to ensure that any person logging in via their organization login page belongs to the correct organization. 

Once configured, your login page will look like this:

Okta

Okta configuration needs to happen on both the Clozd side and the Okta side. To start, a representative from Clozd will assign your organization’s subdomain. Then, follow the steps in this article. Once you have completed these tasks, send Clozd Support your Client ID, Client Secret, and Issuer URL and we will finish the configuration on our end.

Once configured, your login page will look like this:

SAML

Configuration with Security Assertion Markup Language (SAML) also requires setup both on the Clozd side and on the Identity Provider (IdP) side. This setup is more technical than the other configurations because it is different for every organization and as such often requires some trial and error. Reach out to support@clozd.com for assistance and further instructions.

Once configured, your login page will look like this:

Questions?

For questions about the fit of SSO for your Clozd Win-Loss Program, please contact your Clozd Consultant.

For questions about the integration or troubleshooting, please contact support@clozd.com.