What for ?
SSO allows for users to launch your application within Maestrano without having to type in credentials. This enhances the user experience of customers by skipping a step to access your app. For a first connection, you can ask a User to populate some information that you are not able to fetch directly from us; if it is a known User of your app, you can identify his email address and choose to redirect him to his existing account. Every step after the first connection has to be automatic.
What is the Workflow ?
The Single Sign On process is initiated from the Maestrano website when a user clicks on your application tile. This redirects the user to the configured SSO initialization endpoint which then redirects back to Maestrano IDM endpoint. The user is then redirected to your SSO consume endpoint with all the User details required to either log the user in or create a new account.
...
As the user email is unique on Maestrano, it is safe to match users by email or user_id. The user_id must be stored against the User record so even if a user changes its email, you can still uniquely identify its account.
The group_id specified in the SSO request is an identifier that will be used to assign the Users against the Company/Organization they belong to as well as the identifier used for the Connec! data-sharing. You need to store this value against the user company inside your application.
On Maestrano.com, maestrano.com, a User can be part of multiple Companies (one user_id for more for more than one group_id) and a Company can have multiple Users (several user_id for the same group_id). We ask every application on maestrano.com to respect this norm, and to help you implement that, we propose you virtual ids on our SDKs that are unique for a user and a company. Check for the virtual mode.
SSO Consume process
