Once Single Sign On (SSO) has been established for a domain, users must have an email address that matches that domain to access the tenant.
Once a domain is linked to a tenant, users with that domain cannot be added to other organizations’ tenants.
This article provides an overview of the SSO implementation within the Syniti Knowledge Platform specifically in regards to users that have credentials in more than one domain.
As an example, Bruce Wayne is a Syniti consultant and therefore has a email@example.com email address. Bruce is working with a publishing client called The Daily Planet. Because of this contract, Bruce also has a contractor email of firstname.lastname@example.org. This document covers users in this type of scenario and how they will access the Syniti Knowledge Platform.
The Syniti Knowledge Platform supports two types of authentication:
- In-Application (In-App)—A user’s username and password are stored within the platform's internal identity provider and when a user logs in, that username and password are validated against this internal provider
- Single Sign On (SSO)—A user is authenticated against a corporate Identity Provider (IdP) and the user’s access credentials are managed by the IdP
As an added layer of security, every Knowledge Platform tenant has a list of associated allowlisted domains. These domains are the only domains that are allowed for users in that tenant.
Tenant—Domain Mapping with Single Sign On
When a tenant is configured for Single Sign On, one or many domains are associated with that tenant and the tenant is integrated with a customer’s corporate IdP. When a user logs in to the tenant, the domain is taken from their email address and that domain is used to match against the tenant(s) to which the user has access.
Once a domain has been established with an organization’s IdP any user with an email address that matches that domain can only access tenant(s) that are within that organization’s control.
As an example, once a Syniti tenant is linked to the Syniti.com domain, then Bruce Wayne will not be able to be registered to The Daily Planet’s tenant using the email address email@example.com. To access The Daily Planet’s domain, he will need to use his dailyplanet.com email address.