In this article, we'll explain what SSO is, show you how to configure a new Single Sign On setup, and answer the most common questions from customers.
Single Sign-On, or SSO, is an authentication method that allows Users to access multiple applications with a single set of login credentials. After their initial login, Users can seamlessly access connected applications without needing to enter their username and password again.
SSO is widely used in corporate environments, online services, and cloud-based platforms to streamline user access while maintaining strong security.
We'll cover:
- What is SSO and how does it work?
- Key benefits of using SSO
- Service & Identity Providers
- Authentication type
- Tying it all together
- Steps to setup a new SSO configuration
- FAQ
What is SSO and how does it work?
Imagine you’re at an amusement park. When you first arrive, you go to the entrance, show your ticket, and receive a wristband. Instead of presenting your ticket each time you want to go on a ride, you simply flash your wristband, and they let you in. There's no need to keep digging in your pocket for your ticket!
SSO works the same way. Instead of entering your password every time you visit a new website or app, you log in once, and it gives you a “pass” that lets you access all the connected apps without needing to log in again.
In technical terms:
- User Authentication: A user logs in to the Identity Provider using a single set of credentials.
- Token Issuance: After successful login, a token is generated that authenticates the user.
- Access to Applications: When the user tries to access a connected application (Service Provider), the Identity Provider shares the authentication token, granting access without requiring another login.
Key benefits of using SSO
SSO delivers a quick and seamless login journey for your people.
- Convenience: Users need to remember only one set of credentials.
- Increased Productivity for Users: Users will spend less time managing multiple credentials, allowing for a more seamless experience.
- Increased Productivity for Administrators: An easier experience for Users also reduces the workload for Helpdesks and LMS Administrators by minimizing password reset requests
- Improved Security: Lowers the risk of password fatigue (weak or reused passwords) and enables centralised access control.
- Simplified Management: Makes it easier for IT teams to manage user access, quickly onboard new starters, and revoke access for leavers.
Service & Identity Providers
Kallidus is the Service Provider (SP), which is the application the user wants to access. The SP relies on the Identity Provider (IDP) to authenticate and verify the user.
The Identity Provider verifies a user's identity and provides an authentication token that allows access to various applications without requiring re-entry of credentials.
For example, when you sign in to a website using services like Facebook, Google, or Microsoft, these platforms act as Identity Providers. They confirm your identity and provide access to other applications or platforms (other Service Providers) that are linked to your account.
Examples of SSO Identity Provider & the recommended authentication type:
| Identity provider | Authentication type |
| Azure AD B2C | OIDC |
| Google Workspace | SAML2 |
| Microsoft Entra ID | OIDC |
| Okta | OIDC |
| One Login | OIDC |
Authentication type
An authentication type refers to the specific protocol or method used to verify a user's identity and grant access to applications. It defines how credentials are exchanged between the Identity Provider (IdP) and the Service Provider (SP).
Kallidus supports these authentication types:
- Security Assertion Markup Language (SAML): An XML-based standard for exchanging authentication and authorization data, commonly used for enterprise SSO.
- OpenID Connect (OIDC): A modern authentication protocol built on OAuth 2.0, using JSON Web Tokens (JWT) for secure user authentication in web and mobile apps.
- WS-Federation: A Microsoft-centric authentication protocol that enables federated identity and SSO using security tokens and claims-based authentication.
Tying it all together
Just like at the amusement park, where the entrance staff (the Identity Provider) checks your ticket and gives you a wristband (the authenticated token).
The Service Provider (the rides or attractions) trusts the wristband to allow you access without requiring another ticket. Similarly, after logging in once via the Identity Provider, you can access all connected apps without needing to log in again, just like you’re freely hopping from ride to ride with your wristband!
Steps to setup a new SSO configuration
Warning: Setting up a new Single Sign On connection or editing an existing one can impact whether people can log into your site. We advise caution when doing this. You should involve your IT team and test all configurations before putting them live.
-
Browse to Manage Users
- Go to Settings
- Scroll down to the SSO providers section. Select one of the following options:
- Add Microsoft Entra ID
- Add Google Workspace
- Add Other SSO Provider
- For the given configuration, be sure to read all the provided information. View the 'in-app' instructional video to guide you through the steps:
FAQ
How do I set up SSO?
Your IT team is the best point of contact for implementing and assisting with SSO (following the steps above). To set up SSO in Kallidus, your IT contact will need access to Manage Users. View Give a User permission to Manage Users (with the latest IDS) for steps.
How does SSO work with the people data file and Kallidus account creation?
Kallidus user accounts will still need to be created via people data feed, API, or manual entry.
Kallidus does not support System for Cross-domain Identity Management (SCIM) for user provisioning because most Identity Providers lack sufficient data to assign correct training requirements. Instead, user provisioning is handled via the people data feed (HR data source).
Does Kallidus support custom name claims?
We recommend the usernames on your people data feed match the name claim in your Identity Provider for seamless authentication. If this isn’t possible, refer to How to add custom claim mapping for Single Sign On (SSO) for more information.
Can Kallidus support multiple sign-in methods?
Yes. Many organizations use a mix of sign-in methods. Kallidus can support multiple Identity Providers and/or local logins (username/password) simultaneously. For example:
Can a direct link for SSO Users be provided?
Yes. View Streamline user login: Share direct access links for Username/password and SSO Users to see how.
Can Kallidus limit who can sign in with SSO?
The user must be enabled in Kallidus and the username / name claim should match in Kallidus and your Identity Provider. To limit access during implementation, security groups can be used within your Identity Provider.
Can I disable the ‘Log in using password’ option if my organization is 100% SSO?
Yes. Go to Manage Users | Settings and disable the "Allow login using email/username and password" toggle.
Note: If you disable this feature for contractors, volunteers, or test accounts that are not in your Identity Provider, they will not be able to log in.
Can I change my existing Identity Provider in Kallidus?
Yes, but we strongly recommend consulting your IT team and Kallidus representative before making changes.
Setting up a new Single Sign On connection or editing an existing one can impact whether Users can log into your site. We recommend that you involve your IT team and should test all configurations before putting them live.
Get deeper learning in The Academy
The Academy is your learning hub for Kallidus products, including live events, eLearning videos, and more. If you're new to The Academy or know someone who is missing out on free learning, contact your Customer Experience Manager or the Support Team to sign up today.
Discover the latest insights, tips and industry news on the Kallidus blog.