Skip to main content

So, we have established a successful instance of SSO for our EE agency. One of their requests is that we only show the SSO button on the login screen. Sure, no problem, that is a setting. Well, now I, a superadmin, cannot login to their domain. Is there a workaround for this? I mean, other than having the client build me an account in Azure, but that isn’t going to happen. 

@tommyVan Your paradigm needs to shift … you’ll view their accounts from Admin > Users, not by logging in thru their domain. If you need to see the dashboard of an account, impersonate that users with “login as” … I do this all day :-)

Regards,

KM


@tommyVanYour paradigm needs to shift … you’ll view their accounts from Admin > Users, not by logging in thru their domain. If you need to see the dashboard of an account, impersonate that users with “login as” … I do this all day :-)

Regards,

KM

So right now I can do that, but only when all of my cookies are completely cleared, which is more than mildly inconvenient. Secondary to that, what if I need to build notifications or even courses on their domain, as my understanding is that custom notifications must be built on the domain that hosts the people who will receive them. 

I can also get in via configure branding and look, but again, this is time-consuming in the maximum, as I have to navigate all the way there, clear my cookies, then go in.

Do you not have that problem with cookies too? 


@tommyVan No, I don’t have issues with cookies… humm…

If you are coming in as a super admin, then you have access to EVERYTHING that is on that instance, regardless of the domain in use. Notifications, courses, catalogs...everything. The “vertical
-ness”, like assigning their courses to their domains, comes in the groups/branches/menus/pages parts of the platform, not the domain name.

For example, I have a domain aviation.viasatdiscover.com that uses SSO.  When I look in Course Management, I see all of their courses. I can create new courses for that domain, or use existing courses to create learning plans,etc. The way that I keep OTHERS from seeing/using Aviation’s courses is on the page/menu.  I use branches/groups on the pages/menus to control who has access to the courses that belong to the Aviation tenant.

Happy to do another zoom if you want.


I appreciate it. I have one with support in a few minutes here and we are going live with this branch tomorrow morning. Hopefully, I will have an answer by then. I’ll keep you updated. You’ve been such a guiding spirit through all of this!


@KMallette please don’t kill me… My browser had an update…

 


@tommyVan Was wondering how many EE you have on your platform? We have multiple EEs but for now are only exploring the option to enable SSO for one of them, not the rest. Do you know if that would be possible? Within that EE, do we have to enable SSO for all their sub-branches? Can we configure in a way that one of their sub-branches will be signing in through SSO and the rest will sign in regularly?

What is your experience with SSO so far and other than the cookies/browser issue, what are the pros and cons should I be aware of?

Thanks in advance!


@KMallette  -There is an exception to what you’re saying about being a SuperAdmin, I believe, and that is setting up notifications. For example, I am a SuperAdmin of 3 domains. In order to set up notifications with different branding, I need to log into each domain specifically to create the branding. The fact that I am a SuperAdmin doesn’t appear to give me the ability to create admins for a domain other than the one in which my login actually resides. Do you understand this differently? Can you point me to any documentation that may clarify this for me?


Hi @JKolodner … I’m not sure I understand your issue.

What you say about notifications is very true. Notifications are nearly useless to me because of that very situation, so I generally don’t use them. You can however, SEE the notifications, which was what I was trying to clarify for Tommy.

It seems you’re asking about a different SuperAdmin situation, however. You can create superadmin accounts wherever you want, as long as you are yourself a superadmin. The create/manage users KB article should help you. If I’m not understanding your question correctly, please clarify for me.


Sorry, that’s because I messed up my message! (Doing too many things at once!) I meant to say:

The fact that I am a SuperAdmin doesn’t appear to give me the ability to create assignments for a domain other than the one in which my login actually resides. 

 

Even though I’ve set up my notifications correctly within the EE domain, I do not seem to be able to make assignments from my Root domain to people in the EE domain with the proper EE domain course link. I am being advised to log in to the EE domains in order to assign courses to those domains. Unfortunately, we have SSO set up, so this is quite difficult.

 

 


@JKolodner 🙂Thanks for the clarification. Is a common issue for Super Admins 🙂 By assignments, I’m assuming you mean enrollments.

Does your notification tell them they NEED TO enroll in a course, or that they HAVE BEEN enrolled? It should be the later for anything of these other approaches to make sense.

  • Enrollment Rules - You can define a notification as part of the rule. If you create the rule while logged into or impersonating someone in that EE, then maybe the stars will align ?? I’m not sure that I’ve tried this idea end to end.
  • Self-enrollment - Self-enrollment is one way to solve that issue...we mostly just make content available on the dashboard and use other communications methods to announce the need for the course.
  • Impersonation - Impersonation gives you the option of selecting the domain name so you can get into that space. If you have lots of people that need enrolling this isn’t realistic.
  • Power users - is there someone in that EE you can give permission to enroll users?
  • If you can use the API, there is a endpoint for enrolling users. You might need to create the authenticator in the EE domain, but that might be an alternative to asking for SSO access.

We’ve done some testing and we’ve determined that we can create a Power User profile on our EE domain and assign it everything possible in terms of permissions and resources. Then we can create accounts that use the PUP which we can log in as, by proxy and skirt the SSO access issue. It may not work for everything, but it should allow us to do most of what we need. We are going to try this out. Let me know if you have any questions or things we should look out for.


Reply