Do Some Good offers the ability for a business to set up user verification/authentication and synchronization using Single Sign on using Microsoft Azure Active Directory. If your business uses Azure, you can streamline the experience for your employees and increase security and control over who has access to your Do Some Good profile at the same time. All Single Sign On settings for your business are found in your management area under Profile and Addresses in the left hand menu on the 'Settings' tab. The following features are available when if your business has the single sign on (SSO) feature enabled as part of your membership:
- User Provisioning
- User Access Control and Synchronization
- Enforce use of Single Sign-on
- Generate a New Access Key
- Adding and Removing User Passwords
Should you need technical guidance on how to configure Do Some Good access within the Azure platform, please request documentation from our team.
Do Some Good supports two forms of employee user provisioning on the platform. You can choose whichever version will work best for your business. In either case, the employee user will need to be properly configured in your Azure AD to have access to Do Some Good. When a user is provisioned with SSO their account is created with a first and last name, an email address and a link to your business with employee level access. Should you wish to grant this person administrator level control in Do Some Good it must be done within the management area of your Do Some Good profile.
Should your Azure AD configuration be SCIM enabled, you can choose to configure auto provisioning. When auto provisioning is enabled, all of your configured users will have Do Some Good accounts created for them on the next Azure synchronization cycle. The Do Some Good employee accounts will be crated regardless of the person logging in to the platform or not.
On Demand Provisioning (Recommended)
The default configuration is to use on demand provisioning and this does not require SCIM to be enabled. In this configuration, when one of your employees uses their SSO credentials to attempt to log in to Do Some Good for the first time, a new Do Some Good user account will be created at that time. This operation is instantaneous and seamless for your employee.
Azure Configuration Warning
Whenever you add Azure Active Directory users to the Do Some Good configuration you must always wait for one synchronization cycle. If you add users to the configuration and then immediately remove them, that Azure AD user will never be synchronized with the Do Some Good platform. This seems to be a bug or peculiarity within Azure AD itself, once the user is in this state, information is never transferred to the Do Some Good server even if the Azure user is added to the configuration again later.
User Access Control and Synchronization
Should your Azure AD configuration be SCIM enabled, any changes to Azure user accounts will be synchronized with the Do Some Good platform on the next Azure synchronization cycle (approximately every 40 minutes).
Should your IT department remove an Azure user from the Do Some Good configuration or deactivate/delete a user from the Azure Active Directory, the following actions will be taken on the Do Some Good platform:
- The link of the Do Some Good user account to the business will be removed. This will be true for user level as well as administrator level Do Some Good permissions. The user will no longer have access to information such as 'employee only' stories, volunteer positions and events, employee dashboard and team feed.
- The user account will continue to exist as all volunteer records, story posts and other activity continue to be linked to the account.
- If the user wants to continue to use their unlinked account for community volunteering or engagement they are free to do so as long as they have added a second authentication method. If the user did not add an additional method prior to being removed in Azure, the Do Some Good account will be orphaned.
Enforce use of Single Sign-on
In addition to the user provisioning mentioned above, administrators of a Do Some Good business can create and send out invitation links to allow any person to join as an employee of Do Some Good. This would allow users outside of your business domain to be granted employee level permissions that could later be elevated to administrator level permissions. Users who connect with an invitation link and do not use SSO credentials are NOT synchronized and automatically removed as described above.
If a business turns on 'Enforce use of Single Sign-on' on their Business Settings page, all references to inviting users with a link will be removed from the management area. The workflow for new employees connecting to the Do Some Good business profile will be through auto or on demand provisioning.
Existing users who connected with a link before the setting was changed will remain linked to the business as employees or administrators until manually removed by one of your Do Some Good administrators.
Generate a New Access Key
Should your IT policy require periodic generation of new SSO access keys, you can create one in Profile & Address, 'Settings' tab in your management area. Please note, the ability to generate a new access key will only be available if your company has SSO configured as part of your Do Some Good membership. If your business is a subsidiary of a larger organization that manages your IT services, you may not see this section in your settings.
Generating a new access key will create an additional key and your current access key will continue to function. This will give your IT team time to update the configuration in Azure with your new key. Once your new key is properly configured in Azure, the old key can be deactivated in the Settings tab.
Adding and Removing User Passwords While Using SSO
Unlike many platforms that can be configured with SSO, the user account on Do Some Good is partially 'owned' by the employee user. The employer always has access and rights to data that is created during the time a person is employed but an employee can connect an existing user profile to a business or create a brand new one. This ability is in the best interest of the business as an employee with a long volunteer history will bring that history to their new employer.
If a user with an existing Do Some Good account wants to connect that account to a new employer they need to log in to their existing Do Some Good account and then follow the invitation link sent by their new employer. If the employer has SSO Enforcement enabled, the user would have to visit their Settings and Privacy page and click the 'Connect with SSO' button. Once they validate their SSO credentials, the user will be connected as an employee and bring their account history with them. If that user wants to use only SSO in the future, they can remove any other authentication methods on their Settings and Privacy page once SSO is connected.
Should a user want to continue using their Do Some Good account after their employment ends, they should visit their Settings and Privacy page (prior to losing access to SSO) and connect with another method such as a social network or password. Once their employment has ended and they have lost access to SSO and been disconnected as an employee, they will still be able to use their Do Some Good account with the alternate authentication method.