SSO Hybrid or Just SSO, which is better suited to your business?

Full breakdown document of SSO and SSO hybrid login methods, along with a recommended strategy of how to implement into your business.

Written by Brayden Best & Jack Huang 18/10/2023

 

1.0.0 SSO hybrid Login method

1.1.0 Benefit:

• 1.1 Two alternate methods to access Canto:
  • If the SSO System is down, then you can still log in using Canto to login.
• 1.2 Flexibility: you could have both SSO and Canto access
  • User security: Inherits the password policy and 2FA method from the organisation, as sometimes organisations require higher levels of security measures in place for the user accounts than the Canto application offers.  
  • Clear direction on the type of login process that the users will follow. E.g. Internal teams using SSO, and External using Canto login.  
  • Allowing User account creation for External parties (e.g. Third party photographers and agency, databasics helpdesk team).

1.2.0 Risks:

• 2.1 There are two places that user accounts could be managed, because of that, there are multiple result could be affected:
  • Adds confusion to the process of regular sign in each user, as both sign in options would be visible on the login page, and without clear instructions, user’s may not know which sign in option to use.   Note: Only one login option should be used by each User (SSO or Canto login).

Process to reduce risk:

Clear process to manage user accounts in Canto. For example, john.smith@company.com.au has one Canto login but could also be logged in via SSO. To mitigate this, we advise your Canto system administrators to monitor user license in Canto.

• 2.2 Can result in user mismanagement, single user could be managed by both the Canto content administrator who has the full access in Canto, and the Canto system administrator who comes from the IT team, causing an out of sync result.

 

Process to reduce risk:

There should be clearly defined tasks in place for Canto system admin roles, separate to Canto content admin roles. Eg. User role management should be handled by Canto system admins, while Canto content management should be handled by Canto content admin. Job allocations for each role are subject to your business’ preferences and guidelines, which will be discussed in the initial onboarding sessions.

 

 Disclaimer: during our initial setup, we will enable SSO in hybrid mode to reduce the potential outage time frames for any IT support required. After SSO has been setup successfully and Initial tests are completed, unless requested otherwise, we will only allow User’s to login using the SSO method. Our “clear communication model” provides your team with databasics hands on assistance through all onboarding and thereafter.

 

1.3.0 Recommended Strategy SSO Hybrid

Why are we doing this?

This strategy allows access for support from databasics, third party content creators, and is an SSO outage backup for general users to login internally on Canto.

An organisation needs to clearly understand who is going to manage Canto at system level and who is going to manage the content store in Canto level.

Regarding Canto Administrator to the system level management, whereas content management is performed by Canto Contributors. It would be a topic to be addressed by CX Consultant during the onboarding sessions. Please see the article: Defining Roles of System managers and Content managers in Canto. (Link to the article once completed)

 

Step 1: Allocation of SSO roles and Canto Roles

We recommend General users/main contributors of company content (marketing, Learning and design, etc.) to have SSO as their login option selected. Then provide Canto logins for IT Admins, this is in case of IdP outages, IT Admins would then be able to log into Canto and switch users over to Canto logins, allowing them to continue work until the IdP outage has been resolved.

Step 2: Provide Instructions

Provide clear instructions either via email or in person workshop to demonstrate how to login correctly for least confusion on login process.

Step 3: Create Canto Login for Business Internal Users

Provide IT with the Canto account logins for themselves first. IT will be required to setup their Canto accounts, as they will be needing to have access to Canto first, to ensure all initial SSO setup is completed.  
Upon successful testing of SSO logins, IT will notify general users to login via their SSO.

Step 4: Internal General User Login

IT have now successfully configured the login and testing, IT will then be required to notify all general users, this is up to the business’ best practice for notifying general users to login.  

Follow the instructions given by IT to login via SSO.

Step 5: Setup External Party Login

IT who is the Canto Admin, provides all required security processes to the external parties before Canto inbuilt login is assigned to external parties.

Once all processes are completed, external users will receive a welcome email from Canto to setup their password. External users will need to follow the prompts in the email to create Canto account login.

 

Note: IT Admins would have their Accounts set up and sign in completed already during the data migration process.   Instruct Team members to sign into Canto using their assigned login methods shown by “how-to” document.

 

2.0.0 SSO login only method

2.1.0 Benefit:

• 1.1 Enhanced Security:
  • User security: The security policy such as enforce 2FA and password policy is inherited from the organisation instead of Canto application. Sometimes organisations require higher levels of security measures in place for the user accounts than the Canto application offers.  

• 1.2 Easy to manage:
  • Ideal for large number of users, so that the users only need to use their organisation account to login to Canto application, no user creation is required in Canto.
  • Simple to manage. All users are managed in one place, either Canto application or on their active directory.

2.2.0 Risks:

• 2.1 Anyone who doesn’t have the organisations account, will not be able to access Canto, this includes:
  • Third party photographers, agency and content creators
  • databasics helpdesk team
  • All Canto features that require to have a registered account in Canto: such as access to Workspaces, Private Portals, and all forms of Canto connector plug in tools.

 

Process to reduce risk:

We recommend having a temporary external SSO login setup by the organisations IT department for certain 3rd parties such as databasics for support and content creators when it is required.

databasics – Reason for 3rd party SSO is due to initial setup configuration requiring ongoing assistance by our team in case of alterations and requests by client being made.  

Content creators – There are 2 options which requiring temporary/permanent access to Canto content.  

1. Portals – A controlled space where content can be viewed by the content creators, controlled by your team with what content can be accessed, and a collaborated area for both internal teams and external parties to work on projects before uploading to the main library for usage. This can be set up with Private or Public access, along with either login required or free access to general public (no login required).
2. Upload links – It is an isolated space for creators to upload content, for the admins approval before uploading to the main library. Admins can then check the content for approval, then add any that is meeting standards, then remove all others that aren’t required.

• If your IDP is down, then you won’t be able to log in via SSO.

Risk mitigation:

In this scenario, you must contact databasics helpdesk (helpdesk@databasics.com.au) to enable Canto login temporarily until the IdP is back up and running.

• 2.2 Stops external parties from creating Canto accounts.  

Risk mitigation:

Have temporary or guest SSO login setup by your company’s IT department for certain 3rd parties such as databasics for support. If this is a serious concern, please do consider switching to SSO Hybrid mode.

• 2.3 Limited support for legacy applications that do not support modern authentication protocols.

Risk mitigation:

If legacy applications are high necessity to your business, we suggest having the SSO hybrid enabled so that the in-built account can be used for login purpose.

Disclaimer: during our initial setup, we will enable SSO in hybrid mode to reduce the potential outage time frames for any IT support required. After SSO has been setup successfully and Initial tests are completed, unless requested otherwise, we will only allow User’s to login using the SSO method.

2.3.0 Recommended Strategy for Simple SSO

Step 1: Allocation of SSO roles and Canto Roles

For the initial setup of Canto SSO; IT, and databasics will be working together to configure the SSO IdP.   After these following steps are completed, all Users will be switched to SSO only logins. All General Users will have SSO logins completed by IT.

Note: Depending on the security measures put in place by your business, external parties can be setup with their own internal SSO accounts.

Step 2: Provide Instructions

Provide clear instructions either via email or in person workshop to demonstrate how to login correctly for least confusion on login process.

Step 3: Create Canto Login for Business Internal Users

Provide IT with the Canto account logins for themselves first. IT will be required to setup their Canto accounts, as they will be needing to have access to Canto first, to ensure all initial SSO setup is completed.  

Upon successful testing of SSO logins, IT will notify general users to login via their SSO.