Corporate Login (Single Sign-On): Managing Users

Available on the Enterprise tier only:

Essentials
Advanced
Enterprise

Contents

About

Corporate Login/Single Sign-On allows users to log into TrueContext using their corporate login credentials, provided by Identity Provider (IdP) systems like Okta, Active Directory, or Onelogin. Read more about Corporate SSO.

Often, our customers have some users who are supposed to use SSO (like employees) while others aren't allowed to use SSO (typically contractors, who don't have a managed identity).

When you are using Single Sign-On, it's important to set up users correctly by indicating if they are supposed to use Single Sign-On or not. This allows our Technical Support team to easily identify users who are supposed to use SSO, so they can assist them properly. It also allows the TrueContext system to identify users who are supposed to use SSO, so that we can give these users an experience tailored to this method of logging in.

Getting Users Ready to use Corporate Login

There are a few things to consider when setting up TrueContext users if Corporate Login is enabled.

1. The user must exist within both TrueContext and the IdP

Each user must have an account in both TrueContext and your IdP. Users can’t create an account in TrueContext by signing in through the IdP.

2. Usernames

When you set up users in TrueContext, make sure their usernames match the ones in your IdP. For example, if someone's IdP username is “janedoe,” enter “janedoe” as their TrueContext username.

If a username is already taken in the TrueContext system, you must set up a Username Suffix that applies to all the users on your team. This ensures that every username is unique to your team. You do this when you set up SSO for your team.

For example, if the username “janedoe” is already taken, set up the Username Suffix “@yourcompany.com”.

After you set up a Username Suffix, add the suffix to all your usernames. For this example, enter the username as “janedoe@yourcompany.com”.

TrueContext recognizes “janedoe” as the username when connecting with your IdP. TrueContext ignores the Username Suffix you set up so that the usernames in both systems match.

3. Setting up a user to use Single Sign-On

See below to learn how to set up users to ensure they can only log in with SSO, and to tailor their experience for this kind of login.

Set up a User to use Corporate Login/Single Sign-On

NOTE: Before setting up users to use Single Sign-On, ensure that you have configured Single Sign-On for your team

Create a user who will use Corporate Login:

  1. In the Top navigation, go to Users & Groups, hover over Users, then select Create User.

    The Users & Groups menu with Users and Create Users highlighted.

  2. Fill out the rest of the required user settings. Read here for more information on these other settings.
    • Remember that usernames in TrueContext must match usernames in your IdP, or you must have a proper Username Suffix configured. If you set up a Username Suffix (for example “@yourcompany.com”), include it at the end of all usernames (for example “username@yourcompany.com”). TrueContext ignores the Username Suffix you set up so that the usernames in both TrueContext and your IdP match.
  3. Select the Must Use Corporate Login checkbox.

This setting affects the following aspects of this user's experience when using TrueContext:

  • Password: Since this user will not be logging in with their TrueContext credentials, you will no longer see an option to set or change their password, as they will not actually have a password.
  • "Forgot Password"/Password Reset: If a user has forgotten their password, they will not be able to set (or reset) a TrueContext password in our system. This will ensure they are forced to use their corporate credentials and don't have an alternate way to log in.


    If they try to use "Forgot Password", they will instead receive an email directing them to contact their Single Sign-On Problem Contact person for help with their corporate credentials.

  • Password Expiry: Users will be exempt from Password Expiry in the TrueContext system, since they do not have a password in our system. If you would like password expiry rules, configure them in your Identity Provider system.
  • Account Lockout: If users enter an incorrect username and password incorrectly multiple times, their account will not be locked out. If you would like accounts locked out after unsuccessful login attempts, configure this in your Identity Provider's system.
  • Miscellaneous System Emails: In certain cases, our system sends emails to users when they are having trouble logging in. If the user has "Must use Corporate SSO" enabled, our emails will remind them to use their corporate credentials, and direct them to your Single Sign-On Problem Contact for help with those credentials.

Note: You must have at least one Admin user on the team who has this setting OFF. This user can still log in with Corporate Login, but will also be able to have a password. This is for backup purposes.

If a user has already been set up to use Corporate Login only, this setting will show up on their user profile.

Switch an Existing User to "Must use Corporate Login"

Edit an existing user and select the same checkbox. This will result in:

  1. The user's password being cleared.
  2. The user will be sent an email to let them know of this change, and with directions to log in correctly.

If you want to stop enforcing SSO for a user, you can clear the Must use Corporate Login option. The system prompts them to reset their password.

Note:When a signed-in field user gets switched to Corporate SSO or back to TrueContext credentials, the Mobile App signs them out. This means that all drafts and app settings are deleted, and the user must sign in with their new Corporate loginClosed A corporate login (also Single Sign-On or SSO) allows users to sign into the TrueContext Web Portal and apps by authenticating the user's login through an identity provider (IdP), such as Okta or OneLogin. Users must initiate SSO from the TrueContext Web Portal or Mobile App. credentials. We recommend that you tell your users about the change before you switch to SSO.

Mass Enforce Corporate Login/Single Sign-On

Typically, TrueContext customers set up SSO after many of their users have been using TrueContext for quite some time. In this scenario, it would be difficult to turn on the "Must use Corporate Login" on each user individually.

You can Mass Enforce SSO, which turns that setting on for many users at once. 

  1. Go to your Team SettingsClosed The Team Settings page is the page where an admin can manage their team's account and edit certain information, such as assigning a Problem Contact Email Address, toggling push notifications, and viewing the account's billing information..

  2. Enter the Security tab.

  3. Hover over the Single Sign-On header, and select Mass Enforce SSO.

  4. Choose between one of two options:
    • Enforce SSO for everyone except the selected users:
      • Use this when you will be changing most users to "Must use Corporate Login"
    • Enforce SSO for the selected users:
      • Use this when you will only be changing a few users to "Must use Corporate SSO"
  5. Select the appropriate users; find them by typing their names or usernames.

Note:When a signed-in field user gets switched to Corporate SSO, the Mobile App signs them out. This means that all drafts and app settings are deleted, and the user must sign in with their new Corporate login credentials. We recommend that you tell your users about the change before you switch to SSO.

Download SSO User List

Download a list of all the users on the team, including some settings that are specific to Corporate Login/SSO. This should help you determine if your Single Sign-On settings are correctly configured.

  1. Go to your Team Settings.

  2. Go to the Security tab.

  3. Hover over the Single Sign-On header, and select Download SSO User List.

Sample Export

CSV file that shows a list of users and their SSO details. Details include: ProntoForms Username, Name, Email Address, SSO Username, SAML External Alias, and Corporate Sign-In Only.

Fields:

  • ProntoForms Username: This is the username, as entered in TrueContext, and the Username Suffix, if set up.

    Info:We're now TrueContext.

    To support both new and existing integrations, TrueContext CSV exports continue to use ProntoForms in column headers.

    For more detailed information about what’s changing, visit https://support.truecontext.com/hc/en-us/articles/19516168513556

  • Name: User’s first and last name.

  • Email Address: User’s email.

  • SSO Username: This must match the IdP username.

  • SAML External Alias: This is only used when the username and suffix combination is not flexible enough to map the user to a username in your Identity Provider system. You set it up by adding an alias to the user and entering "saml" as the system. The alias must exactly match their IdP username.

  • Corporate Sign-On Only: If "TRUE", then the user is set up as "Must Use Corporate SSO."