Federated Identity
Federated Identity gives customers the option to use their company credentials to sign into CSI software and website instead of using their CSI sign-in credentials. This is sometimes referred to as SSO (Single Sign On). To implement, the company will have to federate their identity platform (IdP) with CSI’s identity platform.
Once setup, all contacts with federated email domain(s) will automatically be redirected to their IdP for authentication.
- 1 How to get started?
- 2 FAQ
- 2.1 Which identity platforms and standards does CSI support to setup federation?
- 2.2 Which IdP does CSI use?
- 2.3 Is there a fee/charge to federated an IdP with CSI's IdP?
- 2.4 Is multi-factor authentication (MFA) available?
- 2.5 Does CSI support any automated user provisioning options, such as SCIM or JIT user provisioning?
- 2.6 Can customers who choose to federate their identity still use the User Management Dashboard (UMD) to bulk import contacts to into the CSI User Database?
- 2.7 What happens if a new user authenticates via federated identity and does not exist in the CSI Database?
How to get started?
Begin the process through the CSI Customer Center
A Customer Account Administrator must begin this process through the CSI Customer Center, under the Settings > Federated Identity Settings menu option.
The Set Up tab will only be available for customers who have not started or completed the federated process.
Access to the configuration wizard, along with instructions, will be available once you click the Get Started button.
Step 1: The Begin Setup button will take you to the configuration wizard, which includes specific instructions for each identity platform we support. If the link for the wizard has expired, use the Generate New Setup Link hyperlink to update the Begin Setup button.
Step 2: Once you have completed the federation and successfully tested your setup, you can Enable your SSO for All CSI Applications using this button.
Your identity has now been federated and is now live.
Automated User Provisioning Options
Automated user provisioning options are now available for your customer account(s). Details can be found on the Automated User Provisioning page.
For users using Azure AD/Entra ID, you will be requested to submit the expiration date of your Client Secret so we can send you a reminder email to update your secret before expires.
For users using a SAML connection regardless of your IdP, please select the Custom SAML option. Example of attribute mapping for SAML can be found below.
Configuration Wizard to Federate your Identity Platform
For further questions, please contact identity@csiamerica.com.
Example of SAML Attribute Mapping
Below is an example of attribute mapping for a SAML setup. Upon completing your federation setup and testing your connection, please send your SAML Attribute Mapping to identity@csiamerica.com.
If you are using Shibboleth, please use Request Protocol Binding = HTTP-Post.
Example of SAML attribute mapping (group attribute is not required):
{
"user_id": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
],
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"given_name": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
],
"family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"groups": "http://schemas.xmlsoap.org/claims/Group"
}
FAQ
Which identity platforms and standards does CSI support to setup federation?
Entra ID/Azure AD (Microsoft Active Directory)
ADFS
Google Workspace
OpenID Connect
Okta
PingFederate
SAML
Which IdP does CSI use?
CSI uses Auth0 as our identity provider.
Is there a fee/charge to federated an IdP with CSI's IdP?
No, there is no charge to federate your IdP with CSI's.
Is multi-factor authentication (MFA) available?
Once you have federated your IdP with CSI's, your security measures and MFA settings with your IdP will apply when you sign into CSI applications (software and website) as well.
Does CSI support any automated user provisioning options, such as SCIM or JIT user provisioning?
Yes, CSI supports both types of automatic user provisioning: 1) Just in Time (JIT) User Provisioning and 2) System for Cross-domain Identity Management (SCIM) User Provisioning. Both user provisioning mechanisms require a federated IdP as a prerequisite. Automated user provisioning eliminates the need for companies to manually add users to the CSI User Database. Details can be found on the Automated User Provisioning page.
Can customers who choose to federate their identity still use the User Management Dashboard (UMD) to bulk import contacts to into the CSI User Database?
Yes, you can still import your your contacts in bulk using the UMD. When customers authenticate through a federated IdP, they will be connected based on the user's email address.
What happens if a new user authenticates via federated identity and does not exist in the CSI Database?
If automated user provisioning has not been setup and a new user signs in, they will receive an error message after signing in to let them know to contact their IT team. The Customer Account Administrator(s) will have to add that user to the CSI Database via the User Management Dashboard.