Single Sign-on is a useful feature to increase security and user adoption of new tools. It means that your employees can auto-login to connected applications using their default company password, which is for instance stored in your LDAP or Active Directory system. While Small Improvements doesn’t integrate with LDAP or AD directly, it does integrate with a middleware called PingIdentity.
PingIdentity is a web based middleware that connects the cloud applications you use with your internal Active Directory or LDAP servers. It has tons of features, but the one you need to enable is the Small Improvements app, so that your SI users can log in via PingIdentity (using SAML 2.0 behind the scenes)
Once configured, your staff can either access Small Improvements from the PingIdentity dashboard or, if they access Small Improvements via your subdomain (e.g. https://mycompany.small-improvements.com) then we’ll rely on PingIdentity to ask for the password (if they aren’t logged in already).
Important: The PingIdentity integration is only for SSO. We do not automatically synchronize your user accounts between systems. If a user doesn’t have an account in SI, then they won’t be able to log in. You can create user accounts manually or upload a CSV spreadsheet.
How to set it up in less than 5 minutes
First, log in into PingIdentity as an administrator. Go to the “Application Catalog”, under “Applications” and search for Small Improvements.
Click the arrow on the right side of the entry. Click the now visible “Setup” button at the bottom.
The first screen of the setup will appear. It contains detailed instructions about how to configure Small Improvements at the bottom of the page. Follow them very closely.
Once you are done, click “Continue to Next Step”.
On the second screen, you need to replace “${sub_domain}” with your Small Improvements subdomain in the two text fields at the top. Afterward, click “Continue to Next Step”.
On the third screen, click the “Advanced” button. A new dialog will appear.
Select “urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified” (note the “2.0”) for the “Name ID Format to send to SP” field at the top of the dialog. Confirm by clicking “Save”.
Afterwards, click “Continue to Next Step”.
On the next screen simply click the “Save & Publish” button. The setup is complete, a summary of the setup will appear.
To test if everything is set up correctly, visit the shown “Initiate Single Sign-On (SSO) URL” in your browser. You should be logged in to your Small Improvements account.
Add user-accounts
Now add user-accounts to Small Improvements via Administration -> Company Directory or import them from an Excel worksheet. Note: A user needs to be created in SI before they can login.
Adjusting the welcome email
Important: You must adjust some emails to avoid confusion!
Whenever you invite staff into Small Improvements, they receive an email telling them about Small Improvements. This email also explains how to define their new password. But since they will use PingIdentity’s password instead, that email template needs to get changed!.
Please locate the “Access to Small Improvements: Welcome Mail” email template, and remove any mention passwords setting. You can write that people should use the password defined in your intranet instead.
That’s it!
For this to work you will need a Small Improvements subdomain. Just let us know.
Also, you will of course need to set up an account with PingIdentity.
Remember: The PingIdentity integration is only for SSO, it doesn’t yet help with user management. All users need to have an account on both systems already.
And before you roll out the PingIdentity integration, you should definitely test it with two or three accounts, just to be sure everything it set up properly!
Troubleshooting
In case something doesn’t work with login via PingIdentity (for instance because a user exists in SI but not in LDAP, or PingIdentity doesn’t pull it from LDAP), and you still want that person to be able to log in, please manually define a password for them: Go to the SI user profile page, locate “admin” in the dropdown, and change their password.
Tell the person their new password, and direct them to log in via the main SI website: https://www.small-improvements.com. Don’t use your company-specific subdomain, since that will typically redirect to PingIdentity instantly unless you enabled the “log in with username/password”-option already. The www option will allow the user to log in manually while keeping the subdomain on “auto-login”