Introduction
Implementing Single Sign On (SSO) for an instance of the Chronus platform is the act of integrating the interface used to log into a customer's private network. Once integration is complete, users are authenticated and can sign onto the Chronus platform using their personal organization credentials, the same user name and password they use to sign onto the organization's private network.
Why it matters: SSO provides ease of access for users, removing those extra clicks and barriers to entry such as having to use a different login, set up a password and remember the password each time they sign on.
If your organization has purchased this integration, the steps below can be shared with your organization's IT team responsible for partnering with the Chronus Support Team to implement SSO.
Initiating SSO Integration
SSO implementation begins with the customer's IT contact completing a simple SSO questionnaire via a Google form provided by Chronus. This questionnaire is typically shared with you by your Chronus team, but you can also share this article with your team to get the process moving forward. It includes the questionnaire link and other helpful information.
Included in the questionnaire is a link to this downloadable resource on the SAML 2.0 configuration and workflow:
Best Practice for Admins: You are the best person to ensure that this process is implemented in a timely manner. Communication with your IT contact to help move the process forward if needed. Though the Chronus Support Team will be in contact with your IT team, you will have more influence as the program admin from within the organization.
Your IT contact or team may request a meeting with the Chronus Support Team contact to discuss questions and/or complexities regarding the integration. We are more than happy to set up or attend a meeting to discuss your organization's specific needs.
SSO Implementation Process
Once the SSO Questionnaire has been completed, the admin or the customer IT contact should reach out to the Chronus Support Team. The Chronus Support Team will now have the information needed to begin the SSO setup outlined in the steps below.
Step 1: Customer IDP Metadata
This metadata is provided by the organization's IT contact as part of the SSO Questionnaire. This information provides the unique identifier that the SSO integration will use to identify whether or not the user is within your organization, and can therefore have access to the Chronus platform using the same sign-on credentials.
Step 2: SP Metadata shared by Chronus
Once the IDP metadata is shared by the customer, Chronus will configure it on the platform, and then provide the SP metadata XML file to the customer to integrate.
Step 3: Customer Tests login
Once the SP metadata is configured by the customer, Chronus will turn on SSO so that the customer can test by signing on. It might be helpful to have user accounts created on the Chronus platform for anyone testing SSO. This is not necessary but will allow them to get past the message that they do not have an account and should contact a program administrator.
Changes to User Emails or UUIDs:
Email is UUID:
If a user's organization email has changed, it must be edited in their profile on platform. The user cannot simply change their email on their profile and expect to log in.
Here is how to change the user email in two places:
Step 1: Search for user using the search function in your top title bar, then click to open their profile.
Step 2: Click 'Edit [User Name]'s Profile' on the tile to the right. Change their email.
Step 3: Click on 'Login information UUID' to change/add their email here.
UUID is not Email:
If the user's SSO login access depends some other employee identification other than email, you will only need to take Step 3 as shown above, after accessing the user's profile.
Trouble Shooting
Issue: Admin or user receives an error message and cannot access Chronus via SSO: "Login failed. Try again."
Trouble-shooting steps:
Step 1: Ensure to reconfirm that the SSO has been configured successfully and check for the test login.
Step 2: View the recent SAML response and check for its status and the error message.
Step 3:
If the SAML Response status is “SUCCESS”, proceed to check the SSO UUID of the user. The SSO UUID could be their email, employee ID , etc. Ensure that our configuration captures the exact NameID from the SAML response.
If the SAML response status is “FAILED” , then check for error message prompt which will help us to identify the issue. Eg: If the error message is “Invalid Signature on SAML response”
Issue: Your administrator may have configured the application Chronus to block users unless they are specifically granted access to the application.
The signed in user is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application.
Or -
If the application that has been set up to use Azure AD for identity management using SAML-based Single Sign-On (SSO) then the error message indicates that the user hasn't been granted access to the application in Azure AD. The user must belong to a group that is assigned to the application, or be assigned directly.
Please reach out to your IT/Azure team to add the users into the user group.