SSO (single sign-on) with SAML
Lokad supports identity and access management systems (IAM) through SAML. This feature lets users safely use their usual company accesses to log into our system without actually disclosing any credentials to Lokad. Also, the feature removes the need for yet another password when using Lokad’s app. From an IT administration perspective, this features provides a centralized way of controlling employee IT accesses, including access to Lokad.
Understanding the SSO workflow
Your Lokad account will be linked to a domain name of your choice, typically the domain name used for the email addresses of your employees.
The login process is as follows:
- Go to https://hub.lokad.com (like a normal Lokad login)
- Enter your company email address
- Lokad recognizes that the domain has been configured for SSO
- Lokad redirects you to the identity provider associated with the domain
- Confirm access while being redirected to the identity provider of your company
- Upon successful authentication, you will be redirected to Lokad
- Enjoy your access to Lokad
Depending on the authentication policies of your company, you may or may not have to re-enter your company credentials. Typically, most policies require the credentials to be re-entered once in a while. These policies are not under the control of Lokad as they are being delegated to your company’s IT system when SSO is used.
Setting up SAML
In order to activate SAML, you first need to decide which internet domain name will be associated with your Lokad account. As Lokad identifies users by their email address, it is usually the domain name used for the company email address that should be used.
Then, you will need to retrieve the SAML IdP Metadata file associated with your IAM system. For example, when Google Apps are used as the SAML identity provider, this file can be downloaded from the admin portal (see this Google Apps tutorial for more information).
The activation of SAML is handled by Lokad’s support staff. Therefore, you will need to get in touch with us in order to enable SSO within Lokad. This can be done by sending a message to firstname.lastname@example.org and putting SAML activation for example.com in the title of the message. Please attach the IdP metadata file as well.
Lokad’s support team will then validate the fact that all the users of your Lokad account have an email address that matches the specified domain name. Otherwise, these users will lose their access to Lokad given the SAML activation. Finally, Lokad’s team will complete the SAML activation on your behalf and this operation is provided free of charge.
FTP and FTPS accesses
Both FTP and FTPS rely on a login/password authentication scheme. As a rule of thumb, when introducing SSO, we believe that it is best to get rid of Lokad-specific passwords altogether instead of maintaining some of the logins/passwords just for the sake of transferring files to Lokad. We recommend upgrading towards SFTP using public keys for authentication. The public key authentication is not impacted by the SAML activation. In case SFTP is not an option for your company, feel free to notify Lokad’s support team about this and we will provide you with an alternative solution.