ACEA SSO and Provisioning

ACEA’s software support single-sign-on (SSO) and provisioning implementations as part of our commitment to security and accessibility for our enterprise partners.

Prerequisites

To get started, you will need:

• An identity provider (IDP) such as Okta or Microsoft Azure Active Directory (Azure AD) that support OpenID Connect (OIDC) or SAML 2.0 single sign-on and/or SCIM 2.0 user provisioning
• An SSO and/or provisioning-enabled subscription to ACEA’s software, namely The CE App.
• By using ACEA’s SSO and/or Provisioning, you agree to our Application Developer and API Agreement

Use Case Scenario Description

In this guide, you will learn about key configuration requirements and consideration for both SSO and provisioning.

• ACEA supports Service Provider (SP) initiated SSO and IDP initiated SSO
• ACEA supports Just in Time user provisioning via SSO and Automated user provisioning on a sync schedule
• ACEA uses email as a sign in user identifier
• Often, it is important to provision a specific group within your IDP and sync specific profile fields with ACEA

Configure SSO with ACEA

ACEA uses SAML-based single sign-on (SSO) to give your members access to our software through an identity provider (IDP) of your choice. Our technology allows for Just-in-Time (JIT) provisioning for new users who sign in via SSO even if they are not in our system yet.

Step 1: Configure your identity provider (IDP) for SSO

You will authenticate ACEA’s CE App as a service provider within your IDP given a URL endpoint and key from us for OpenID Connect (OIDC) or SAML 2.0 if requested. Please contact us if you need help initiate this process. If possible, also provide us access to a test account for quality assurance testing.

Depending on your IDP, you may include the following basic information when adding us as an authorized application:

• Default sign-in method: OpenID Connect (OIDC)

• Type: Web Application

• App Name: CE App

• Logo: Download file here (or select another from our Brand Guidelines)

• Authorized Sign-in & Base URIs: https://app.myceapp.com/ & https://accounts.myceapp.com/ (full URI will be provided upon setup)

If desired, you can create a group within your IDP to only allow sign in to ACEA’s software within a specific set of your total authorized users.

Step 2: Match user profile data fields

Follow these User Attributes for Data Mapping to allow fields from your IDP to sync correctly to ACEA.

Step 3: ACEA will set up SSO

ACEA’s software team will then integrate SSO within our software for your members and test this integration before launch.

What to expect after SSO is enabled

Once SSO is enabled, your members can sign into ACEA’s software through your IDP. You will be provided a branded sign-in link for members to access sign in via SSO. If a user does not exist in our system but signed in via SSO, they will be authorized and added to your organization within ACEA’s software. If a user exists in our system and tries to sign into ACEA’s software outside of SSO, they will be redirected to sign in via SSO. If provisioning is enabled, we will be able to sync your latest members continuously to avoid any individuals attempting to sign up for an account outside of your organization’s SSO.

Configure SCIM Provisioning with ACEA

ACEA supports member provisioning with the System for Cross-domain Identity Management (SCIM) standard. To use provisioning, ACEA connects with your supported identity provider (IDP) such as Okta or Microsoft Azure Active Directory (Azure AD).

Manage members

With SCIM provisioning setup, you can manage users within ACEA’s software automatically from an external data store attached to your IDP. This allows you to create, update, and disable users in ACEA’s software automatically as your organization does so within your IDP. This most often synchronizes between systems multiple times per day to allow ACEA’s software to maintain up-to-date information on your members.

Administrators and Privileges

Admin-level users have enhanced capabilities over the end users. to manage different users and the organization as a whole. During initial implementation, ACEA will enable an organizational administrator with all admin privileges within our software. Then, the main admin user(s) can upgrade other users to administrators within ACEA’s software and set application-specific privileges for each admin (see this CE App guide). We do not automatically set admin-level privileges via your IDP to allow your organization more control over the specific access and privileges of each administrator within the settings of The CE App.

Step 1: Configure your identity provider (IDP) for provisioning

You will authenticate ACEA’s CE App as a service provider within your IDP. Please request any specific information you need by contacting us to initiate this process.

If desired, you can create a group within your IDP for us to use for ongoing provisioning. Sometimes this group that will be fully synchronized into ACEA’s software is a smaller group than a larger group of your users who are authorized to sign in via SSO if they attempt to do so (in which case, they can sign in as a new user via just-in-time provisioning).

Step 2: Match user profile data fields

Follow these User Attributes for Data Mapping to allow fields from your IDP to sync correctly to ACEA.

Step 3: ACEA will set up provisioning

ACEA’s software team will then integrate provisioning within our software for your members and test this integration before launch.

What to expect after provisioning is enabled

Users will be generated and updated automatically in ACEA’s CE App software from your source IDP system. In some cases if you make edits to things like a user’s name within ACEA’s software, it may be overwritten because your IDP is treated as the gold standard for data that is matched with our user profile fields. Users added via SCIM will be billable as soon as they are added into ACEA’s software and no longer billable when deactivated through your IDP and synchronized via SCIM.