Enabling Single Sign-On (SSO) in Backblaze Groups
The present pandemic of proliferating passwords poses problems for users and administrators alike; administrators need certainty that sign-on credentials are used only by those who ought to use them, and users face a deluge of sites requiring sign-on credentials. Administrators press users for complex, unique passwords, while users struggle to manage the ever-increasing number of these arbitrarily complex passwords.
The Single Sign On Solution
One response to this is to use a single secure credential across multiple websites and applications. Instead of logging in with an effectively unique identity, many sites now permit logging on with via a credential from a third party who vouches for that person’s identity.
Backblaze Now Supports Google’s G Suite OAuth 2.0 Authentication
As Backblaze is requesting Google G Suite to authenticate a user, any means of authenticating a user with G Suite will work (as G Suite itself works with several third-party authentications).
Please be aware of these limitations:
- Third-party authentication works only with Google’s G Suite
- All users in the SSO-enabled group must use SSO to sign on
- All users in the group must have an email address in the G Suite domain(s) for the company:
- SSO should be turned on only if all existing users in the group have an email with a G Suite domain. If an existing user has an email address that is not in a G-Suite domain, that user will be unable to login.
- Once SSO is turned on, user emails that are not in a G Suite domain cannot be added to the group
Backblaze suggests implementing with a small test group to ensure everything goes smoothly.
Enabling a Group with SSO
- Check the group members to be certain that all user’s email addresses are within an SSO domain. Member can be within different domains as long as Backblaze supports SSO with that domain.
- Turn on SSO
- Enter the G Suite domains this group should support in the Automatically Accepted Domains section of the dialog.
4. Scroll all the way down to the bottom and click the Update Group button to save the changes.
Disabling SSO for the group
This is as simple as logging onto an administrator account, going to the group settings, unchecking Group Single Signon, followed by clicking the Update Group button at the bottom of the dialog to save the change.
Members of the group will revert to their previous credentials. Users who had enabled 2-factor authentication will return to 2-factor authentication. Members added after SSO was enabled may not have an account password, and must reset their password (using the Forgot My Password option on the login screen) before they can log in.
Changing An Email Address in an SSO group
Changing an email address becomes a little more complex, but it is still a straightforward process.
- Remove the old email address from the group. Either the end-user can remove themselves, or the group admin can remove the account.
- Sign into the account (either with the old credentials, or by using the Forgot Password reset path), and change the email address to the new G Suite email address
- Have the group admin re-invite that user into the group with the new G Suite email address.