SSO users and account access

This topic describes sign in differences for new SSO users, account access for different kinds of SSO users, and how to unlock SSO users.

note

This feature is part of Advanced User Security, which is available in the Enterprise and Enterprise Plus Editions, and as an add-on to the Professional and Professional Plus Editions. Consult with your Boomi account representative to enable this functionality.

Differences for new single sign-on users

If you recently switched from only using your user credentials to single sign-on, you may notice these differences in the platform:

• You no longer need to sign in to the platform.

• You no longer can change your email address or password on the User Information tab. Your account administrator is able to change the password when you log into the platform using your user credentials.

Single sign-on and account access

Single sign-on (SSO) is set up on an account, and then enforced for individual users of that account.

If a user is added to an account group on a parent account, that user can now access all the SSO enabled accounts on the account group. Users added to a child account will not see other SSO enabled accounts.

SSO users will have different sign in experiences depending on if they have administrative privileges or belong to multiple accounts. Use the following table to see how different SSO users can sign into the Boomi Enterprise Platform and the accounts are available to them.

SSO user type	Sign in method	Account access
Non-administrative SSO users	Platform user name and password credentials	Have direct access to non-SSO accounts only.
Non-administrative SSO users	Identity Provider (IDP)	Have access only to SSO-enabled federating/restricting accounts and to other accounts that are a part of Account Groups.
Administrative SSO users	Platform user name and password credentials	Have direct access to any non-SSO accounts to which they belong, and only to those accounts that the user is an administrator of (SSO or non-SSO).
Administrative SSO users	Identity Provider (IDP)	Have direct access only to SSO-enabled federating/restricting accounts and to other accounts that are a part of Account Groups.

SSO user lockout

The following table describes the different types of SSO users, how they access the platform, and how a locked SSO user can either unlock themselves or have an account administrator unlock them on their behalf.

SSO user type	Sign in method	Unlock method
Regular, non-SSO user	User name and password credentials on the sign in page	Regular non-SSO users can unlock themselves using the Reset your password link on the sign in page.
SSO user, administrator privileges	User name and password credentials on the sign in page, or their Identity Provider (IDP)	When locked from the platform, SSO users with administrator privileges have the ability to unlock themselves using the Reset your password link on the sign in page. This is because an SSO administrator has the ability to sign in from either the platform sign in page or their IDP.
SSO user, non-administrator privileges with access only to SSO-enabled accounts	Identity Provider (IDP)	Because these users must use their IDP to sign in and cannot do so using their user name and password credentials, they do not have the option to unlock themselves using the Reset your password link. Therefore, the administrator of user federating/restricting account must unlock them on their behalf from the User Management page.To learn about how to unlock user with SSO only access that is locked as result of using their IDP, refer to Unlocking a user with single sign-on access.
SSO user, non-administrator privileges with access to both SSO and non-SSO enabled accounts	User name and password credentials on the sign in page to log into their non-SSO accounts, OR their Identity Provider (IDP) to log into their SSO-enabled accounts.	In some cases, the SSO user has access to multiple accounts where some accounts use single sign-on and some do not. How the user chooses to sign in (IDP or using their user name/password) upon getting their account locked determines how the user is unlocked:- When signing in via an IDP, these users have access to only those SSO accounts to which they belong. If the user gets locked out, the user can unlock themselves using the Reset your password link. When signing in using user name and password credentials on the sign in page, these users have access only to those non-SSO accounts to which they belong. If the user gets locked out because of invalid credentials, the user can unlock themselves using the Reset your password link.

As the administrator of an SSO-enabled account, use the unlock feature on the Settings > Account Access > User Management page to unlock users with SSO-only access who are locked out of the as a result of multiple invalid API token entries.

Unlocking SSO Users

When users with SSO only access make too many invalid sign in attempts using API tokens, they are locked from the Boomi Enterprise Platform and cannot make use of any services nor make API calls. Because such SSO users do not have a user name and password to enter on the sign in page, they do not have the ability to unlock themselves using the Reset your password link. Therefore, SSO users who can only sign in from an identity provider (IDP) cannot regain access to the platform until an administrator of their federating/restricting SSO-enabled account unlocks them on their behalf. The administrators of the SSO-enabled account receives immediate email notification about the locked user and can use the following steps to reinstate the user's access.

info

If the SSO user enters their username and password on the sign in page to access their account, they can unlock themselves using the Reset your password link on the sign in page. The note in step 3 of this task topic clarifies how the account administrator can determine if the user is unlocked from the User Management page, or if the user can unlock themselves from the sign in page. For detailed information about the various ways in which SSO users are unlocked, refer to Single sign-on.

Procedure

1. Select Settings > Account Access and click on the User Management tab.

   The User Management page opens.

2. In the list of account user names, notice that each user has an icon next to their email address.

   As the Legend on the User Management page shows, the green check icon indicates that the user is active and can successfully access the platform. The red exclamation point icon indicates that the user is locked from the platform.

3. Select the user name of a locked individual.

   The selection is highlighted in gray, and the Unlock User icon turns from a light gray to dark gray. This indicates that the selection is available for unlocking.

   If a user shows a red icon next to their name but the lock is un-usable (and its color remains a light gray), this means that the user can unlock themselves using the Reset your password link on the Boomi Platform sign-in page and does not require the administrator's intervention.

4. Click the grey Unlock User icon.

   A dialog box opens asking you confirm the account unlock.

5. Click OK to proceed with the unlock, or Cancel to return to the User Management page without making changes.

Results

Clicking OK in the dialog results in a confirmation message that the user was successfully unlocked and the user's platform access is immediately restored. The green check icon appears next to the user name on the User Management tab.

Additional resources

• Identity provider OpenAM (previously named OpenSSO)

• Redirect and POST bindings

• SAML

• SAML 2.0 and bindings

• Single sign-on