This page provides information on how to set up corporate sign in for Chaos login.
Overview
Chaos web page allows users to create and manage their own password-based accounts and use them to log in. While this works well for individual customers, enterprise customers may wish to have a more customized login experience, according to their internal company requirements. To meet that demand, we have introduced the Corporate Sign In option to the Chaos login page.
The Corporate Sign In feature allows enterprise customers to integrate their own identity provider service (IDP) with our Chaos store. What this means is that for such customers the user authentication is federated to the customer’s login page. This offers a number of benefits:
There is no longer need for company employees to create separate accounts on the Chaos store and to remember additional passwords
Through their identity service provider, the company can enforce, custom authentication mechanisms that otherwise may not be possible on the Chaos store (e.g. certificate-based login, two-factor authentication)
If the user session expires on the Chaos web page, a significantly faster login is available if the user is already in a corporate system session
A company administrator has much more control over which employees can purchase and use Chaos products on behalf of their company domain. This can further be enhanced through the usage of the Self-Service Portal 1
In addition to having a centralized authentication, a company can configure a more advanced integration by having a set of users automatically provisioned to Chaos identity provider service. More complete Corporate Sign In experience is achieved through the following:
Changes to the users' names are automatically adjusted in Chaos system
An administrator can centrally deactivate a user in their identity provider service and that deactivation would be automatically applied to the respective user in Chaos system
Basics
Let's explore the technical aspects of the Corporate Sign In integration. This will help you prepare for the subsequent configuration sections.
OpenID Connect
OpenID Connect is an industry standard for achieving a delegated authentication flow. It stands on top of the OAuth2 protocol by adding the ability to retrieve information related to authenticated users. This is achieved through the propagation of an ID token.
Information that is retrieved from the ID token and used by the Chaos system is as follows:
Given Name – The user’s first name
Family Name – The user’s last name
Email – The user’s work email address
Depending on which are available, this information can be looked up from a number of fields ("name", "given_name", "family_name", "email", "upn") in the ID token.
SCIM
SCIM is another popular standard that works well with OpenID Connect. While OpenID Connect works well to delegate the authentication to an external identity provider service, it does not provide a way for the target system to be informed of any user state changes in the enterprise’s identity provider. SCIM fills that gap by managing user provisioning from the customer’s identity provider service to the target system.
The information processed by Chaos system as part of the provisioning process is as follows:
Given Name – The user’s first name
Family Name – The user’s last name
Email – The user’s work email address
Username – The user’s unique identifier in the enterprise’s system
This is only used due to SCIM requirements
This username cannot be used to login to Chaos web page
External ID – Optional identifier used for SCIM provisioning
Active – The user’s active state - a deactivated user in the source system has this field as "false".
A deactivated user is maintained in the Chaos system but cannot login or use any resources until reactivated.
Getting Started
Using Corporate Sign In
If you have the Corporate Sign In feature enabled for your company, your employees can use the following login workflow to authenticate to the Chaos web page.
When at the Chaos login page a Continue with corporate email button is available.
Once selected, the user is asked to input their email address.
Chaos uses the email domain name to determine which Corporate Sign In integration to use. Based on that the user is redirected to log into the relevant identity provider service.
For example, for Azure this looks as follows:
By default the Chaos login form forwards the email address to the corporate identity provider login page. However, if you are not using email addresses for login in your identity provider, the forwarding behavior can be disabled, which allows to use username or some other indication at your identity provider’s login page instead.
It is important that once the user logs into the corporate identity provider system, the email returned as part of the OpenID Connect’s ID token to be identical with the user email from the Corporate Sign In page.
Once the user is logged in the company corporate login page, they are redirected back to the Chaos login page, where a session is established. The user is now able to use the Chaos web page as though they logged in via password.
Requesting Corporate Sign In
Before Corporate Sign In is enabled for your company, make sure that you read and agree with the terms of use, privacy statement and EULA related to this feature.
To have the feature enabled, as an administrator open a Support ticket to Chaos or contact your Chaos Key Account Manager requesting Corporate Sign In to be set for your company. This process continues with a number of configurations done in the Chaos system and with the exchange of credentials that are required for the two systems to communicate securely (your company's and Chaos). Depending on the identity provider service used, these may vary.
Configuring Corporate Sign In
Once your administrator has requested Corporate Sign In, they need to apply a number of configurations in the identity provider service used by your company. The Corporate Sign In feature is currently available to enterprise customers that use one of the following user management solutions:
As the integration models differ slightly for each provider, make sure to check the relevant documentation section.
Limitations
As Corporate Sign In is still a new feature, there are some limitations to be aware of.
Single Domain Support
Corporate Sign In works on the basis of corporate domain names. That is, the Chaos web page uses the domain name of the user’s email address to determine which login workflow to use. More information is available in the Using Corporate Sign In section.
Currently, a company can be represented by only one domain name within the Chaos system. Attempts to log in with an alternative domain name do not work. Provisioning such users is ignored and not provisioned to the Chaos system past any metadata that needs to be stored to have SCIM working correctly.
User Deletion
If a user is deleted in the source identity provider service, through SCIM that user is also deleted from Chaos intermediate SCIM storage. However, the actual user is only disabled. To have the user permanently deleted, the corporate administrator should reach out to Chaos Support.
Email Update
If a user has their email address changed and use provisioning is enabled, the outcome is that the user in our system with the old email address gets deactivated and a new user gets created for the new email address. The administrator of your organization should create a support ticket to request the transfer of any licenses from the old user to the new one. If Self-Service Portal is used, this can be done through the Self-Service Portal dashboard.
Single Sign Out
Logging out of Chaos does not log the user out of their corporate Identity Provider or other applications that were accessed through that Identity Provider.
Footnotes
1. – The Self-Service Portal is enabled upon client request. In case you are interested in, please contact your Chaos Account Manager or get in touch with us at: https://www.chaosgroup.com/help/contact/sales