What is federated identity?
Federated Identity gives customers the option to use their own familiar company credentials to sign into CSI software and website instead of using their CSI sign-in credentials. This is sometimes referred to as SSO (Single Sign On). To implement, the company will have to federate their identity platform (IdP) with CSI’s identity platform. Once setup, all contacts with federated email domains will automatically be redirected to their IdP for authentication.
Which identity platforms and standards does CSI support to setup federation?
Microsoft Active Directory (Azure Active Directory, Active Directory, ADFS, AD/LDAP)
Google Workspace
OpenID Connect
Okta
PingFederate
SAML
Which IdP does CSI use?
CSI uses Auth0 as our identity provider.
Is there a fee/charge to federated an IdP with CSI's IdP?
No, there is no charge to federate your IdP with CSI's.
Is multi-factor authentication (MFA) available?
Once you have federated your IdP with CSI's, your security measures and MFA settings with your IdP will apply when you sign into CSI applications (software and website) as well.
Can customers who choose to setup federated identity still use the User Management Dashboard (UMD) to bulk import contacts to into the CSI databaseUser Database?
Yes, you can still import your your contacts in bulk using the UMD. When customers authenticate through a federated IdP, they will be connected based on the user's email address.
Does CSI support any automated user provisioning options, such as SCIM or JIT user provisioning?
Yes, CSI supports both types of automatic user provisioning: 1) Just in Time (JIT) User Provisioning and 2) System for Cross-domain Identity Management (SCIM) User Provisioning. Both user provisioning mechanisms require a federated IdP as a prerequisite. Automated user provisioning eliminates the need for companies to manually add users to the CSI User Database. Details can be found on the Automated User Provisioning page.
If What happens if a new user is authenticates via federated identity , how are they added to and does not exist in the CSI Database?
New users that authenticate via federated identity will be added on the fly to the default customer that is specified during federated identity setup. The new user will be giving assigned the customer's default role and added to the customer's default license group. The default role and default license group can both be found, and changed, in user will receive an error message after signing in to let them know to contact their IT team. Their Customer Account Administrator(s) will have to add the user to the CSI Database via the User Management Dashboard.
Does CSI support SCIM Provisioning to keep a customer's IdP in sync with CSI's database?
CSI currently does not support SCIM provisioning, but it is on the roadmap for early 2024.
How to get started?How to get started?
Please follow the instructions below for the identity provider you have. After completing the steps in the instructions, contact identity@csiamerica.com to set up a call with CSI to complete the final steps.
For users with Microsoft Active Directory (Azure Active Directory, Active Directory, ADFS, AD/LDAP):
To start the process, you will need to do the following as stated in this document under
...
, Register your app with Azure AD: https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/
...
v2#register-your-app-with-azure-ad
You will need to register an App in your Azure AD
Create a Client Secret (we will need the Secret Value, not the Secret ID)
Add permissions (per document above)
In the App Registration, create the following web URI Redirect: https://identity.csiamerica.com/login/callback
For users with Google Workspace
...
After completing the steps in the instructions above, contact indentity@csiamerica.com to set up a call to complete the final steps. :
To start the process, you will need to do the following as stated in this document under, Set up your App in Google: https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/google-apps#set-up-your-app-in-google
You will need the following Callback URL: https://identity.csiamerica.com/login/callback
For users with OpenID Connect:
To start the process, you will need to do the following as stated in this document under, Set up your App in the OpenId Connect Identity Provider: https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/oidc#set-up-your-app-in-the-openid-connect-identity-provider
You will need the following Callback URL: https://identity.csiamerica.com/login/callback
For users with Okta:
To start the process, you will need to do the following as stated in this document under Create Okta OIDC App Integration: https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/okta#create-okta-oidc-app-integration
Set up an Okta OIDC app integration
Select OIDC as the Sign-in method.
Select Web application as the Application type, and set the following parameters:
Name of your application
Sign-in Redirects URI: https://identity.csiamerica.com/login/callback
Trusted Origins: https://identity.csiamerica.com
Record the Client ID and Client Secret that Okta generates for your app integration.
For users with PingFederate:
To start the process, you will need to do the following as stated in this document under Sections, Get the Signing Certificate from the Idp and Convert it to Base64: https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/ping-federate#get-the-signing-certificate-from-the-idp
You will need the following Callback URL: https://identity.csiamerica.com/login/callback
For users using SAML:
To start the process, you will need to do the following as stated in this document under Step 1 and 2, Enter the Post-back URL and Entity ID at the IdP, Get the Signing Certificate from the Idp and Convert it to Base64: https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/saml
You will need the following Callback URL: https://identity.csiamerica.com/login/callback
For questions about federated identity, please contact identity@csiamerica.com.