Our customers can utilise Single Sign-On for their authentication control. Lyyti's SSO implementation follows the SAML 2.0 protocol. This means that the Service Provider ("SP", ie. Lyyti) and Identity Provider ("IdP", whatever you use for managing logins) share their authentication and authorization data using standardized XML metadata.
As our SSO is still in Beta-phase, implementing a SSO requires you to contact our customer care.
After sending your request to implement SSO for your company, Lyyti will provide you with:
- SP metadata as XML
- URL to initiate SSO
- ACS URL
- Entity ID
- Security-related optional settings
The only Name ID (ie. what is used to identify the account attempting login) needed is the user's email address.
Once you have entered these SP settings and the XML metadata into your SAML 2.0 configuration, please provide us the IdP metadata in XML format. Once we save that, the SSO and ACS URLs provided above will become functional.
A few things worth mentioning:
- Make sure your IdP is set to sign responses (not requests)
- The email provided by your IdP as the user's NameID must match the user's Lyyti account email
- Currently SSO in Lyyti works only in a Forced-mode. This means that when a SSO is implemented for a customer, all logins are forced to go through the SSO authentication when logging in to Lyyti. If a username (email) is not found in the idP, the user cannot log in.
SSO for users
The login experience of Lyyti user works in the following way: