How to set up and configure IDP for your site

In this article

    This guide will explain how to configure to use your Identity Provider (IDP) to log in to the SuperOffice Online platform.

    The new SuperID platform includes more features to help you handle how you log in to SuperOffice Online.

    It can be seen as a service used by CRM Online - for using your MS Office 365 or Google G Suite as the authentication service - when logging into CRM Online (instead of your SuperOffice password).

    • Click here to read about the key features IDP includes
      • In specific, the key features include:

        • Multi-factor authentication (MFA) / Two-factor authentication (2FA) / Two-step verification (authentication service dependant)
        • User authentication/login to CRM Online is leaner - uses your existing Office365 or G Suite credentials. No SuperOffice password
        • Automatic login if already logged in to Office 365 or Google G Suite (browser session)
        • Leaner administration of new and existing users from SO Admin: Just add Office 365 or Google G Suite user name - users can authenticate and log in

    Pre-requisites 

    • A SuperOffice Online tenant (site)
    • Your SuperOffice Online tenant (site) needs to be on the SuperID platform:
    • Google or Microsoft account (Google or Microsoft support only at this point. (Perform a domain check here)
      • If you plan to use Microsoft account (AAD): you need to be "Global Admin" in your AAD to perform the "Initialization step" 
      • For other IDP providers – please give your feedback – and we will look into adding support for it)

    Technical article on SuperOffice Online Open ID Connect can be found in this article on Community 

     

     

    3-step guide: 

    1. Update SuperOffice username to match IDP user name
    2. Register your domain name
    3. Log in - to complete user-transformation

     

    1. Update SuperOffice username to match IDP user name

    Update username in SuperOffice Admin

    Since Office365 or Google will be used as the service to authenticate when logging into SuperOffice – SuperOffice needs to know the Office365 / Google username. This is most often the primary email address in O365 / Google.

      

    You see the username in the admin -> users section:

    Microsoft: https://admin.microsoft.com/AdminPortal/Home#/users

    Google: https://admin.google.com/ac/users

    These usernames must be set in SuperOffice Admin for each user: 

    1. Open Admin, go to Users 
    2. Select the SuperOffice user to change
    3. Input O365/Google username in field “username”, click “Save” 
    4. Repete this for all users 

    The preparations of users are now complete.

     

    2. Registering your domain name

    Registering your domain name in the SuperOffice environment:

    Before the users can use the authentication provider for your domain, the domain must be registered in our systems.  This will enable the login process to recognize the user's email address' domain - and redirect to the correct IDP for authentication.

    • Google: Any user that can authenticate with the customers' domain can registrar Google as an identity Provider 
    • Microsoft: The user registering Microsoft as an Identity Provider must be a "Global Admin" or "Application Administrator" in the Customers Azure Active Directory (AAD) to grant the SuperOffice ID AAD App access to read user profile information. 

    Step 1. Go to https://id.superoffice.com/identityprovider/register 

    Step 2. Choose your organization's identity provider (Google or Microsoft) based on the pre-check step above 

    image0x5j.png

    Step 3. You are rerouted to the provider's login page – to authenticate accept the permissions.

    Microsoft: 

    Note: If Microsoft account (AAD): you need to be "Global Admin" in your AAD to perform this "Initialization step" 

     imagenr3vs.pngimage3lix9.png

    Google: 

     imageyc2p.png

     

    Step 3. Accept and confirm the setup. 

    You may be asked if you grant SuperOffice access to read profile information. 

    You must confirm that all users of their domain should use their identity provider. 

    Microsoft: 

     image95szq.png

    Google: 

     image1x2xg.png

    imageniwh.png

     Your organization's domain name is now registered in the SuperOffice environment - and can be used by users using SuperId-ready tenant.

    Additional domain names can be registered by performing this step again, using other domains in the registration process.

    Additional subdomain names and custom domain names can be registered/added manually by contacting SuperOffice support. Ie.: main domain name is 'SuperOffice.com', the custom domain name is 'SuperOffice.no'

    When the user logs in, the domain of the username (the part after '@') will then be recognized and the user will be forwarded to the correct IDP provider to authenticate.

    image62fbl.png

    Read more in the next section (step 4) and our "Question and Answer" section below.

     

    4. Log in - to complete user-transformation

    When users login the first time - the process of moving the user from passwords to IDP will be activated:

    New SuperOffice users:

    Register new users in SO Admin to send an invite and get users to log in.

    To enable the users to use the authentication provider for your domain – add them to SO Admin. By adding them to SO Admin – SO Admin will send a "user activation invite" email to the user's email address registered. 

    Step 1. Admin adds the new user in SO Admin and submit the user's email address in the email field and click "Save". 

    imagei85w5.png

    image04ymf.png

    Step 2. Make sure the SuperOffice 'User name' is equal to the user name (UPN) in your IDP system.

    image62jab.png

    Step 3. Choose "License information" (user plan) and click "Save". 

    Step 4. Users will receive an invitation email in their email inbox. The user clicks the activation link to activate the account. 

     

     imagefj1a6.pngimaged7coq.png

     

    Existing SuperOffice users - who will continue using password (not using IDP) to log on:

    You might have SuperOffice users where the username belongs to a domain name in which IDP is not registered in our systems, those users will continue to use their old SuperOffice password. No change, no setup - just log on.

     

    Existing SuperOffice (password) users - who will start using IDP to log on:

    To be able to use IDP for authentication, the username / User-Principal-Name (UPN) set in your IDP must match the username set in SuperOffice Admin. This can be updated in the "Users" section in the SuperOffice Admin (Settings and maintenance).

    The UPN typically is user@domain 

    During the user's first login, there is a transition phase:
    The user will be transitioned from logging on using a password to logging on using the customers IDP the first time the user tries to log in after the IDP has been registered.

    imagegx5kn.png

    The user must first log in using her password to verify that she is who she claims to be.

    imagek625n.png

    The user is then prompted to log in using the identity provider. 

    imageb9ape.png

    The user is configured to log on with the identity provider and redirected to the SuperOffice CRM Online tenant

    image9xv1s.png

     

    If the user's browser session doesn't have an active session from the IDP provider – they will be redirected to the provider of the IDP to log in.  
    The user must then log on using the identity provider.  

    If the user's browser session has an active session from the IDP provider – they will be continuing to the verification of connection to IDP page. 

    The user is now configured to log on with the identity provider and redirected to the SuperOffice CRM Online tenant 

    User will now be logged in to CRM Online.

    Setup for the new user is now complete.

     

    What happens with the user when moving to SuperID? 

    • User Transition - scenarios
      •  

        User Type before SuperID 

        Scenario 

        User Master 

        Credential record 

        In SuperID 

        If existing user account in SuperId 

        Mail Function 

        With Password 

        Normal user 

        User

        Password hash 

        User is prompted with password as before.  (Password hash is updated on first login.) 

        User is prompted with password as before.  If password is different between the accounts, the email address is validated. 

        Reset Password 

        With Password 

        Normal user who will start using IDP

        User

        Password hash during the transition, Reference to IDP after the transition

        User is prompted with a password during the transition.
        User is redirected to the identity provider after the transition

         

        Reset Password during the transition.

        N/A after the transition

        User Candidate 

        User added -has not logged in yet. 

        User Candidate 

        No credentials 

        When the user clicks a link in the email, the user has to validate her email address.  She is informed that an email is sent to her and she has to enter a code from the received email.  She can then set the password and is redirected to the tenant.

        User clicks link in (final) mail and is prompted password and confirmation to connect SuperID account to user. 

        Resend Welcome email 

        Migrated user that has never logged in. 

        Migrated users must click a link in a "set password" email and set the password the first time they log in.  This user has  not done so prior to moving to SuperID 

        Migrated 

        No credentials 

        When the user clicks the link in the "set password", a dialog is presented to the user, informing her she needs to validate her email address.  She receives an email with a code and has to enter the code. She can then enter password (or log in using identity provider) 

         

        User clicks link in mail and is prompted password and confirmation to connect SuperID account to user. 

        Send set Password email 
        (Migrated User) 

        Cloud Office user 

        A user that is using Cloud Office with documents in G-Suite or Office 365 

         

        Reference to IDP 

        User is redirected to the identity provider as before. 

         

        N/A 

         

     

    Normal login into CRM Online

    Next time the user logs in from online.superoffice.com and provide the correct user name / UPN – the user is forwarded to SuperID to establish which service to use:

     imagee1a7.png

    If the user's browser session doesn't have an active session from the IDP provider – they will be redirected to the provider of the IDP to log in / authenticate.

    If the user's browser session has an active session from the IDP provider – they will be logged into CRM Online.

     

     

    Questions and Answers

    Once you are moved to the new SuperID platform - we cannot move you back to the old platform.
    We can turn off / disconnect your IDP provider -> not using IDP for logging in. This will result in new users will not be asked to use IDP. Users already use IDP will continue to use IDP. Read more under ' Can I swap between using IDP and SuperID password?' below.
    For a normal user - there is not much difference at all. SuperOffice administrators cannot set users password in SO Admin any longer. The user using IDP will need to use the IDP's reset password feature to reset the password.
    This makes it a lot easier to log in for the end-user: User authentication/login to CRM Online is leaner - uses your existing Office365 or G Suite credentials. No SuperOffice password
    Automatic login if already logged in to Office 365 or Google G Suite (browser session)
    If the user is using IDP, the user will need to use the IDP's reset password feature to reset the password.
    If the user is using SO password (not IDP), SuperOffice admin is only able to initiate a reset password (send email to the user) by choosing this in the admin client. The can use the reset password email link on the login page to set a new password.
     The user using IDP will need to use the IDP's reset password feature to reset the password. - If the user is using SO password (not IDP), the user uses reset password feature from the login page - and receives an email to set a new password.
    When an IDP is set for the domain name (ie. username=user1@company.com, the domain is company.com) - users of this domain will be told to use IDP when logging in 1st. time. Once the user is set to use IDP - one must contact support to get it disconnected from IDP - to use SuperOffice password. If you do not want users to be asked to use IDP when logging in 1st. time - the IDP can be switched off by contacting support.