Enabling Single Sign-On (SSO) in Backblaze Groups
The present pandemic of proliferating passwords poses problems for users and administrators alike; administrators need certainty that sign-on credentials are used only by those who ought to use them, and users face a deluge of sites requiring sign-on credentials. Administrators press users for complex, unique passwords, while users struggle to manage the ever-increasing number of these arbitrarily complex passwords.
The Single Sign On Solution
One response to this is to use a single secure credential across multiple websites and applications. Instead of logging in with an effectively unique identity, many sites now permit logging on with via a credential from a third party who vouches for that person’s identity.
Backblaze Support for Single Sign On Providers
Backblaze currently allows users in the following authentication domains to use single sign-on.
- Google GSuite
- Microsoft Office 365
These providers can also allow single sign on, accepting a credential from another trusted provider. Therefore, an SSO credential that works with the providers above can also enable access to Backblaze.
As an example, consider this situation: GSuite can accept SSO credentials from third parties. Imagine a GSuite SSO domain that accepts credentials from (fictional) third-party provider CredibleNow. Although Backblaze does not accept CredibleNow’s credential directly, Backblaze SSO does accept GSuite’s credential. When the user logs on to Backblaze, Backblaze requests a credential from GSuite, and GSuite, because it accepts CredibleNow’s credential, sends the requested authorization. The user has single sign-on from CredibleNow indirectly.
Please be aware of these limitations:
- Third-party authentication works only with the authentication domains listed above directly
- All users in the SSO-enabled group must use SSO to sign on
- All users in the group must have an email address from the same provider that works with SSO; if a group uses GSuite (for example), all users within the group must authenticate with GSuite (although multiple GSuite domains are acceptable)
- SSO should be turned on only if all existing users in the group have an account in the authentication domain. If an existing user has an email address that is unable to provide the correct credential, that user will be unable to login
- Once SSO is turned on, user emails that are not in the authentication domain cannot be added to the group as they would be unable to log on
Backblaze invites administrators to begin with a small test group to ensure everything goes smoothly.
Enabling a Group with SSO
- Check the group members to be certain that all user’s email addresses are within an SSO domain. Member can be within different domains as long as Backblaze supports SSO with that domain.
- Turn on SSO, and specify the provider
- Enter the provider’ domains this group should support in the Automatically Accepted Domains section of the dialog.
4. Scroll all the way down to the bottom and click the Update Group button to save the changes.
Disabling SSO for the group
This is as simple as logging onto an administrator account, going to the group settings, unselecting the SSO provider, followed by clicking the Update Group button at the bottom of the dialog to save the change.
Members of the group will revert to their previous credentials. Users who had enabled 2-factor authentication will return to 2-factor authentication. Members added after SSO was enabled may not have an account password, and will have to reset their password (using the Forgot My Password option on the login screen) before they can log in.
Changing An Email Address in an SSO group
Changing an email address becomes a little more complex, but it is still a straightforward process.
- Remove the old email address from the group. Either the end-user can remove themselves, or the group admin can remove the account
- Sign into the account (either with the old credentials, or by using the Forgot Password reset path), and change the email address to the new email address
- Have the group admin re-invite that user into the group with the new email address