We explain SSO and Directory Sync and walk you through how to set this up for Progression.
Introduction
The video below gives an overview of how SSO and Directory Sync work with Progression, how to get set up and common questions.
SSO
SSO is an authentication standard that allows Progression to talk to your identity provider to determine whether a given user should be granted access. This means users no longer log in with passwords, instead they are routed via your identity provider (e.g. Okta or Google Workspace).
Directory Sync
Directory sync is responsible for provisioning, de-provisioning and updating your users on Progression based on the settings in your identity provider.
How can I enable SSO?
First things first, please contact us at support@progression.co to get started.
After we've answered any questions around the integration, we'll enable SSO for your account (which may incur a cost) you will then be able to carry out the integration.
The integration process is thoroughly documented with screenshots and instructions and can be done self-serve. Of course, if you would prefer we are happy to do short call to take you through the setup process.
How to get started
-
Ensure SSO has been enabled for your account
-
Ensure you have sufficient privileges in your identity provider to add new applications
-
Go to your org settings page by selecting 'Admin' > 'Settings'
-
Select 'SSO' > 'Provision SSO' > 'Create Connection' and follow on screen instructions. This will setup your SSO integration.
Important: if using Google Workplace as a directory make sure you add the groups you wish to sync.
-
Select 'Create Directory' and follow on screen instructions. This will setup your directory sync integration.
-
You're all done! You may find you need to do a hard refresh, clear cookies or log in and out to regain access back to Progression.
You're all done! You may find you need to do a hard refresh, clear cookies or log in and out to regain access back to Progression.
How does Directory Sync work in practice?
Directory sync is responsible for provisioning, de-provisioning and updating your users on Progression based on the settings in your identity provider (IDP).
Provisioning:
When a user is created in your IDP and granted access to the Progression in your IDP, they will be automatically created in Progression.
Note: they currently do not receive email notification that an account has been created.
De-provisioning:
When a user has access to Progression removed in your IDP, they will be archived in Progression. A user could have access removed in the IDP through being removed from an access group, removed from the organisation or being deleted.
If the user is subsequently granted access to Progression, their account will be transitioned from archived to active.
Updating:
When a user's details are updated in the IDP, they will be updated in Progression. We currently sync the following attributes:
-
First name
-
Second name
-
Email
-
Manager (where manager is supplied as an email address which matches a Progression user in your organisation)
-
This is generally mapped to the field manager
-
-
Team (where the team name in the IDP matches a team in your organisation)
-
This is generally mapped to the field department
-
-
Position (where the position name in the IDP matches a position in the user's team)
-
This is generally mapped to the field title
-
Check out the WorkOS docs for a deep dive into what the integration process will look like for your systems.
Can I set up SSO just for a subset of my users?
Yes you can! If you are using Okta you can do this within Okta by granting users access to specific applications. The most common way to do this is to assign users to groups and allow groups to use specific apps (see here for more information).
If you are using Google Workplace you will need to add the groups you wish to sync to Progression before you add your directory.
Which SSO providers do you support?
-
AD FS SAML
-
Auth0 SAML
-
Azure AD SAML
-
Generic SAML
-
G Suite OAuth (coming soon)
-
G Suite SAML
-
JumpCloud SAML
-
Microsoft OAuth (coming soon)
-
Okta SAML
-
OneLogin SAML
-
OpenID Connect
-
PingFederate SAML
-
PingOne SAML
-
Shibboleth
-
VMWare SAML
-
CyberArk SAML
Which Directory Providers do you support?
-
Azure AD SCIM
-
Bamboo HR
-
G Suite Directory
-
Gusto
-
Hibob
-
Okta SCIM v1.1
-
Okta SCIM v2.0
-
Rippling
-
SCIM v1.1
-
SCIM v2.0
-
Workday
How much does it cost?
SSO and Directory Sync are included in our Organisation subscription plan.
If you have any questions about SSO and Directory sync, please contact us by email at support@progression.co or send us a message in the chat.