How does Single Sign On Work?

Updated 

SSO, or Single Sign On capability, allows you to login easily into Sprinklr. We have already covered what it is and why it is relevant in this article. Here, in this article, we will cover details on how this capability works and what are the key elements behind its working.

How SSO works?

There are two parties involved in an SSO login:

  1. IDP: Identity Provider where the user’s identity is stored. E.g.: Microsoft Azure
    An IDP is a service that maintains and manages digital identities to verify user credentials throughout applications, networks, and web services. Its primary role is to safeguard the integrity of user credentials and federate user identity where SSO logins are desired.

  2. SP: Service Provider (The application users want to access). E.g.: Sprinklr platform
    Service providers are a resource that users authenticate into using SSO, usually a private website or application. They receive, accept, or deny assertions (in case of SAML 2.0) & ID tokens (in case of OIDC) from IDPs for each client profile prior to granting users access.

The IDP has the information of the various SPs and vice versa. The architecture is a handshake protocol. Sprinklr validates the information and only then allows the user to be logged in. There are two types of SSO Configurations: SAML 2.0 and OpenID

Types of SSO login

SP initiated: Service Provider (Sprinklr) initiates the SSO request by sending a SAML request to the IDP. Once the user logs in, IDP (Client) sends a response (user details) to the Service Provider (Sprinklr) in the form of a SAML assertion authorizing the login and identifying the user.

Sprinklr support SP initiated SSO for Web & Mobile Apps (including Advocacy)

IDP initiated: Starts from the customer’s end through a provided link or tile in the customer’s employee portal. When the IDP link is hit, or the tile is clicked in an employee portal, the Identity Provider (Client) will send a SAML assertion to the Service Provider (Sprinklr) authorizing the login and identifying the user.

Sprinklr only supports IDP initiated SSO for Web App  (not for Mobile or Advocacy)   

Note: Sprinklr can support any identity provider that is compliant with SAML 2.0. We have clients using a variety of identity providers such as Okta, ADFS, OneLogin, and PingFederate for SSO.