Administrators often require complex, unique passwords, while users often struggle to manage their passwords for different services. SSO has become a popular solution to maintain security for Admins while providing ease of use to end-users.
The Single Sign-On Solution
Instead of logging in with an effectively unique identity, many sites now permit logging on with a credential from a third party who vouches for that person’s identity.
Backblaze Support for Single Sign-On Providers
Backblaze currently allows users in the following authentication domains to use single sign-on.
- Google GSuite
- Microsoft Office 365
These providers can also allow single sign-on, accepting a credential from another trusted provider. Popular options include Okta and OneLogin. Therefore, an SSO credential that works with the providers above can also enable access to Backblaze.
As an example, consider this situation: GSuite can accept SSO credentials from third parties. A GSuite SSO domain accepts credentials from Okta or OneLogin. Although Backblaze does not accept Okta or OneLogin's credentials directly, Backblaze SSO does accept GSuite’s credential. When the user logs on to Backblaze, Backblaze requests a credential from GSuite, and GSuite, because it accepts Okta or OneLogin's credentials, sends the requested authorization. The user has single sign-on from Okta or OneLogin indirectly.
Please be aware of these limitations:
- Third-party authentication works only with the authentication domains listed above directly
- All users in the SSO-enabled group must use SSO to sign on
- All users in the group must have an email address from the same provider that works with SSO; if a group uses GSuite (for example), all users within the group must authenticate with GSuite (although multiple GSuite domains are acceptable)
- SSO should be turned on only if all existing users in the group have an account in the authentication domain. If an existing user has an email address that is unable to provide the correct credential, that user will be unable to login
- Once SSO is turned on, user emails that are not in the authentication domain cannot be added to the group as they would be unable to log on
Backblaze invites administrators to begin with a small test group to ensure everything goes smoothly.
Enabling a Group with SSO
- Check the group members to be certain that all user’s email addresses are within an SSO domain. Member can be within different domains as long as Backblaze supports SSO with that domain.
- Turn on SSO, and specify the provider
- Enter the provider’s domains this group should support in the Automatically Accepted Domains section of the dialog.
4. Scroll all the way down to the bottom and click the Update Group button to save the changes.
Disabling SSO for the group
This is as simple as logging onto an administrator account, going to the group settings, unselecting the SSO provider, followed by clicking the Update Group button at the bottom of the dialog to save the change.
Members of the group will revert to their previous credentials. Users who had enabled 2-factor authentication will return to 2-factor authentication. Members added after SSO was enabled may not have an account password, and will have to reset their password (using the Forgot My Password option on the login screen) before they can log in.
Changing An Email Address in an SSO group
Changing an email address becomes a little more complex, but it is still a straightforward process.
- Remove the old email address from the group. Either the end-user can remove themselves, or the group admin can remove the account
- Sign into the account (either with the old credentials, or by using the Forgot Password reset path), and change the email address to the new email address
- Have the group admin re-invite that user into the group with the new email address