🔑

Introduction to SSO and provisioning

Summary

SSO and provisioning are processes that can help you manage employee data at Millie. If you are a company admin, this document will help you decide whether you need these extra features, and explain how to use them.

Manual employee management

First, let's recap Millie's base functionality, which we will call manual employee management. Anyone can join Millie and use it to send gifts or make donations, but only your employees should have access to your company's matching program, volunteer sign-ups, and so on. That's why you need an up-to-date employee list in the Millie Employees page:

image

When managing employees manually, you must create, edit, and eventually deactivate every employee record by interacting with this page:

  • You create new employees with the Add Employees dialog, which lets you type the details of a single new record, or upload a batch of them as a CSV file. Employees created this way receive an invitation email with a link to the Millie app. After following the link, they are prompted to enter a new, Millie-specific password.
  • As employees leave your company, you must find each record in the Employees page and deactivate it with the View/Edit dialog. Until you do this, the user will continue to have access to your company's giving programs.

SSO and JIT provisioning

This manual process works well if you don't have too many employees, but larger companies will want to automate these tasks. SSO or Single sign-on simplifies the login process for the employee, and saves you time by causing Millie employee records to be created automatically when an employee logs in for the first time. That last bit is called JIT or Just-In-Time provisioning. Though its name includes the word 'provisioning', this feature is built into SSO; it is not part of the SCIM provisioning we are going to talk about later. Millie implements SSO with a technology called SAML; sometimes you will see SAML used as a synonym for SSO.

SSO relies on a centralized repository of employee data called an identity provider or IdP. Okta and Azure are two such providers, and there many others. These are paid services, external to Millie, but your company may already have one.

If your company does have an IdP, your HR or IT staff are already using it to create and update employee data during your onboarding and offboarding processes; you just need to share a portion of that data with Millie. That is done by adding a Millie app integration to the IdP. Your IT staff will handle this; detailed integration guides are listed here.

When Millie is integrated into your IdP, your employees will have two ways to access the Millie app: through an SP-initiated login, or an IdP-initiated login.

SP-initiated logins

SP stands for service provider, which is the business or app that is asking your employee to prove their identity. Millie is the SP in this context. In an SP-initiated login, the login process starts at Millie:

  1. Your employee visits the Millie app. If they have not logged-in recently, Millie displays the main login page:
    2. image
  2. The employee clicks Sign in with SSO, which directs them to Millie's SSO login page:
    3. image
  3. The employee enters their email address. They do not give their password to Millie.
  4. Millie sends the employee to a login page at your IdP's website:
    5. image
  5. If your employee has logged into the IdP recently, it immediately returns them to the Millie app, with full access to their account.
  6. If the IdP is not sure of the employee’s identity, it will ask for the employee's email address, plus a password, an authentication code, or other proof of identity. By configuring the IdP, your company decides what proof is sufficient for Millie and all other services.
  7. If the IdP accepts the employee's login, it returns them to Millie with full access, as before.

When the IdP returns an employee to Millie after an SSO login, it sends their email address plus their first and last name to the Millie app. If Millie does not recognize the address, it automatically creates a new employee record before letting them in. This is the JIT provisioning we mentioned earlier. If Millie does recognize the address, it will update the employee's name, if that data changed on the IdP side.

IdP-initiated logins

Instead of beginning with a visit to the Millie app, IdP-initiated logins start at the IdP:

  1. Your employee visits your IdP's website. As before, the IdP grants them access, if it already trusts them, or it first asks for their email address, plus a password or other proof of identity.
  2. After establishing their identity, the IdP displays a list of app integrations to the employee. The Millie integration will be one of these:
    3. image
  3. The employee clicks the Millie integration icon, and is immediately transferred to the Millie app, with full access to their account, without logging in again.

As before, Millie also creates or updates the employee record when the IdP sends the logged-in employee to the Millie app.

SSO advantages

In both SP- and IdP-initiated logins:

  • One password and one login grant access to Millie and all other services you have chosen to integrate with your IdP. If the employee loses their password, one support request restores access to Millie and all those services.
  • Thanks to JIT provisioning, it is no longer necessary to create most employee accounts manually. It is still necessary to deactivate employees manually, however. To automate that task, you must enable SCIM provisioning, described below.

By the way, you might have a few employees who cannot use SSO for some reason. If so, you can still create and manage their employee records manually, and they can login with Millie-specific passwords, even while your other employees use SSO.

To enable SSO, direct your IT staff to Millie's SAML setup guides.

SCIM provisioning

JIT provisioning automates some of your employee management tasks, but again: it does not deactivate employees in Millie, even when these are deactivated in the IdP. To automate deactivation, your company must enable SCIM provisioning. Rather than waiting for an employee to login (as SSO does) this process updates Millie employee records as soon as the data is created or changed in the IdP. This means all your employees appear in the Millie Employees page in one large batch, rather than a few at a time, as they login. It also means that inactive employees will be excluded from your company's programs, immediately and automatically, as your HR or IT staff deactivates them in the IdP. SCIM is a specific provisioning technology, but sometimes you will see it used as a general synonym for this type of provisioning.

IdPs like Okta and Azure use the same employee data to implement both SSO and provisioning, so enabling SCIM incurs no additional upkeep on your side. At Millie, you do not have to enable SCIM to use SSO, but you must enable SSO to use SCIM, and you must use the same IdP for both.

Your IT staff enables SCIM provisioning by extending the same IdP app integration you used to enable SSO. Detailed integration guides are listed here.

SCIM provisioning advantages

Because employees are provisioned in bulk, and deactivated automatically:

  • You will seldom need to perform any sort of manual employee management when SCIM is enabled.
  • The Millie launch email will be sent to all employees automatically, without the need for a bulk CSV import.
  • Employee engagement metrics will be more accurate, since the Millie app will have the correct count of eligible employees.

SCIM-linked employees

If you need to, you can continue to create and manage some employee records manually (as long as their e-mail addresses do not use the same domain as your SSO employees — see below) even while other employees use SSO and SCIM. You can also create and manage manually for a time, and then switch to SCIM at a later date. Also, you are never locked-in to SSO or SCIM; you can use them for a time and then disable them, managing employees manually thereafter.

Millie uses the employee email address to identify each person uniquely. If you create an employee manually, you will be able to edit that employee manually until Millie receives SCIM provisioning data from your IdP that matches that employee's email address. Once that happens, the employee is said to be SCIM-linked. When SCIM is enabled, the SCIM-link status of each record is displayed in a SCIM column within the Employees page:

image

SCIM-linked employees cannot be activated or deactivated manually, neither can their name data be changed manually; instead, you are expected to make those changes in the IdP. This ensures that Millie stays in sync with your IdP data. If you use SCIM, most or all of your employee records will probably be SCIM-linked. If you disable it later, you will regain the ability to manage those records manually.

Whether linked or not:

  • It is always possible to view employee data with the View/Edit dialog in the Employees page, or to use that dialog to Resend Invite.
  • You will continue to use the Change Role dialog to manage permissions for admins and other staff with special Millie privileges.

To enable SCIM, direct your IT staff to Millie's SCIM setup guides.