Single Sign-On (SSO) with Azure Active Directory allows your employees to seamlessly create a Do Some Good account using their familiar work credentials and automatically be linked to your business profile without the need for special invitation codes or links.
- About Single Sign-On (SSO)
- User Provisioning
- User Access Control and Synchronization
- Enforcing use of Single Sign-on
- Generating a New Access Key
- Onboarding New Employees
- Migrating Existing Employees
- Adding and Removing User Passwords
About Single Sign-On (SSO)
Single Sign-On (SSO) is an add-on feature that is not automatically included with your Do Some Good business membership. Should you wish to explore adding SSO to your account, please contact the Do Some Good team at email@example.com.
Do Some Good offers the ability for a business to set up user verification/authentication and synchronization using Single Sign-On (SSO) with Microsoft Azure Active Directory. This allows participating businesses to enforce password policies, streamline employee onboarding and synchronize the addition and more importantly the removal of employees from your Do Some Good business profile. We provide support and step by step instructions to make the setup as easy as possible.
Do Some Good supports Microsoft Azure Active Directory SSO, using the app-registration method and OpenID Connect. We do not support configuration using SAML and we are not listed in the Microsoft Azure Marketplace at this time.
Once your business has added the SSO feature to your Do Some Good membership, you can configure your settings by heading to the "Profile & Addresses" page in your left-hand navigation and click on the "Settings" tab.
Do Some Good supports two forms of employee user provisioning on the platform. You can choose whichever version will work best for your business. In either case, the employee user will need to be properly configured in your Azure AD to have access to Do Some Good.
When a user is provisioned with SSO their account is created with a first and last name, an email address and a link to your business with employee level access. If you would like to grant this person administrator level control in Do Some Good, you can do so by heading to your "Team" page in the left-hand navigation of your Management Area.
Should your Azure AD configuration be SCIM enabled, you can choose to configure auto provisioning. When auto provisioning is enabled, all of your configured users will have Do Some Good accounts created for them on the next Azure synchronization cycle. The Do Some Good employee accounts will be crated regardless of the person logging in to the platform or not.
On Demand Provisioning (Recommended)
The default configuration is to use on demand provisioning and this does not require SCIM to be enabled. In this configuration, when one of your employees uses their SSO credentials to attempt to log in to Do Some Good for the first time, a new Do Some Good user account will be created at that time. This operation is instantaneous and seamless for your employee.
Azure Configuration Warning
Whenever you add Azure Active Directory users to the Do Some Good configuration you must always wait for one synchronization cycle. If you add users to the configuration and then immediately remove them, that Azure AD user will never be synchronized with the Do Some Good platform. This seems to be a bug or peculiarity within Azure AD itself, once the user is in this state, information is never transferred to the Do Some Good server even if the Azure user is added to the configuration again later.
User Access Control and Synchronization
Should your Azure AD configuration be SCIM enabled, any changes to Azure user accounts will be synchronized with the Do Some Good platform on the next Azure synchronization cycle (approximately every 40 minutes).
Should your IT department remove an Azure user from the Do Some Good configuration or deactivate/delete a user from the Azure Active Directory, the following actions will be taken on the Do Some Good platform:
- The link of the Do Some Good user account to the business will be removed. This will be true for user level as well as administrator level Do Some Good permissions. The user will no longer have access to information such as 'employee only' stories, volunteer positions and events, employee dashboard and team feed.
- The user account will continue to exist as all volunteer records, story posts and other activity continue to be linked to the account.
- If the user wants to continue to use their unlinked account for community volunteering or engagement they are free to do so as long as they have added a second authentication method. If the user did not add an additional method prior to being removed in Azure, the Do Some Good account will be orphaned.
Enforcing Use of Single Sign-on
In addition to the user provisioning mentioned above, administrators of a Do Some Good business can create and send out invitation links to allow any person to join as an employee of Do Some Good. This would allow users outside of your business domain to be granted employee level permissions that could later be elevated to administrator level permissions. Users who connect with an invitation link and do not use SSO credentials are NOT synchronized and automatically removed as described above.
If a business turns on 'Enforce use of Single Sign-on' on their Business Settings page, all references to inviting users with a link will be removed from the management area. The workflow for new employees connecting to the Do Some Good business profile will be through auto or on demand provisioning.
Existing users who connected with a link before the setting was changed will remain linked to the business as employees or administrators until manually removed by one of your Do Some Good administrators.
Generating a New Access Key
Should your IT policy require periodic generation of new SSO access keys, you can create one in Profile & Address, 'Settings' tab in your management area. Please note, the ability to generate a new access key will only be available if your company has SSO configured as part of your Do Some Good membership. If your business is a subsidiary of a larger organization that manages your IT services, you may not see this section in your settings.
Generating a new access key will create an additional key and your current access key will continue to function. This will give your IT team time to update the configuration in Azure with your new key. Once your new key is properly configured in Azure, the old key can be deactivated in the Settings tab.
Onboarding New Employees
This article shares instructions how employees can quickly and easily create a brand new Do Some Good user account and automatically be linked as one of your employees. This requires the new employee user to have a valid Active Directory user account with your IT Department properly configured to have access to Do Some Good.
Migrating Existing Employees
If your business already has employees on the platform with Do Some Good accounts they will want to replace their existing login credentials with Azure authentication. This article explains how an existing user can convert to using SSO. If existing employees do not follow these instructions they risk creating a duplicate new account rather than linking their existing account.
Adding and Removing User Passwords While Using SSO
Unlike many platforms that can be configured with SSO, the user account on Do Some Good is partially 'owned' by the employee user. The employer always has access and rights to data that is created during the time a person is employed but an employee can connect an existing user profile to a business or create a brand new one. This ability is in the best interest of the business as an employee with a long volunteer history will bring that history to their new employer.
If a user with an existing Do Some Good account wants to connect that account to a new employer they need to log in to their existing Do Some Good account and then follow the invitation link sent by their new employer. If the employer has SSO Enforcement enabled, the user would have to visit their Settings and Privacy page and click the 'Connect with SSO' button. Once they validate their SSO credentials, the user will be connected as an employee and bring their account history with them. If that user wants to use only SSO in the future, they can remove any other authentication methods on their Settings and Privacy page once SSO is connected.
Should a user want to continue using their Do Some Good account after their employment ends, they should visit their Settings and Privacy page (prior to losing access to SSO) and connect with another method such as a social network or password. Once their employment has ended and they have lost access to SSO and been disconnected as an employee, they will still be able to use their Do Some Good account with the alternate authentication method.