Federated Identity FAQ

What is federated identity?
Federated Identity gives customers the option to use their own familiar company credentials to sign into CSI software and website instead of using their CSI sign-in credentials. This is sometimes referred to as SSO (Single Sign On). To implement, the company will have to federate their identity platform (IdP) with CSI’s identity platform. Once setup, all contacts with federated email domains will automatically be redirected to their IdP for authentication.

Which identity platforms and standards does CSI support to setup federation?   

• Microsoft Active Directory (Azure Active Directory, Active Directory, ADFS, AD/LDAP)
• Google Workspace
• OpenID Connect
• Okta
• PingFederate
• SAML

Which IdP does CSI use?

CSI uses Auth0 as our identity provider.

Is there a fee/charge to federated an IdP with CSI's IdP?

No, there is no charge to federate your IdP with CSI's. 

Is multi-factor authentication (MFA) available?

Once you have federated your IdP with CSI's, your security measures and MFA settings with your IdP will apply when you sign into CSI applications (software and website) as well. 

Can customers who choose to setup federated identity still use the User Management Dashboard (UMD) to bulk import contacts to into the CSI User Database?
Yes, you can still import your your contacts in bulk using the UMD. When customers authenticate through a federated IdP, they will be connected based on the user's email address. 

Does CSI support any automated user provisioning options, such as SCIM or JIT user provisioning?
Yes, CSI supports both types of automatic user provisioning: 1) Just in Time (JIT) User Provisioning and 2) System for Cross-domain Identity Management (SCIM) User Provisioning. Both user provisioning mechanisms require a federated IdP as a prerequisite. Automated user provisioning eliminates the need for companies to manually add users to the CSI User Database. Details can be found on the Automated User Provisioning page. 

What happens if a new user authenticates via federated identity and does not exist in the CSI Database?
New user will receive an error message after signing in to let them know to contact their IT team. Their Customer Account Administrator(s) will have to add the user to the CSI Database via the User Management Dashboard. 

How to get started?
Please follow the instructions below for the identity provider you have. After completing the steps in the instructions, contact identity@csiamerica.com to set up a call with CSI to complete the final steps. 

• For users with Microsoft Active Directory (Azure Active Directory, Active Directory, ADFS, AD/LDAP):
  

  To start the process, you will need to do the following as stated in this document under, Register your app with Azure AD: https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2#register-your-app-with-azure-ad  

  1. You will need to register an App in your Azure AD  
  2. Create a Client Secret (we will need the Secret Value, not the Secret ID) 
  3. Add permissions (per document above)  
  4. In the App Registration, create the following web URI Redirect: https://identity.csiamerica.com/login/callback
     
     
• For users with Google Workspace:

To start the process, you will need to do the following as stated in this document under, Set up your App in Google: https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/google-apps#set-up-your-app-in-google

• For users with OpenID Connect:

To start the process, you will need to do the following as stated in this document under, Set up your App in the OpenId Connect Identity Provider: https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/oidc#set-up-your-app-in-the-openid-connect-identity-provider

• For users with Okta:

To start the process, you will need to do the following as stated in this document under Create Okta OIDC App Integration: https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/okta#create-okta-oidc-app-integration

1. Set up an Okta OIDC app integration
2. Select OIDC as the Sign-in method.
3. Select Web application as the Application type, and set the following parameters:
   1. Name of your application
   2. Sign-in Redirects URI: https://identity.csiamerica.com/login/callback
   3. Trusted Origins: https://identity.csiamerica.com
4. Record the Client ID and Client Secret that Okta generates for your app integration.

• For users with PingFederate:

To start the process, you will need to do the following as stated in this document under Sections, Get the Signing Certificate from the Idp and Convert it to Base64: https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/ping-federate#get-the-signing-certificate-from-the-idp

• For users using SAML:

To start the process, you will need to do the following as stated in this document under Step 1 and 2, Enter the Post-back URL and Entity ID at the IdP, Get the Signing Certificate from the Idp and Convert it to Base64: https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/saml

For questions about federated identity, please contact identity@csiamerica.com.