Grip SSO Support
What SSO standards do we support?
Grip supports the SAML 2 standard for Single-Sign-On. We do Single-Sign-On but not Single-Sign-Off.
Apart from SAML 2, proprietary integrations can be discussed and implemented at added cost.
What SSO providers can we integrate with?
For SAML 2, we have successfully integrated with:
- Auth0 (www.auth0.com)
- Keycloak (www.keycloak.org)
For proprietary integrations, we have successfully done so for:
- Messe München
What do we need from clients to enable SSO?
In all SSO integration, the client must have a Branded Application. Events running in the Grip App cannot have SSO enabled. The SSO Identity Provider must also guarantee that the authenticated user is also authorized to use Grip for the specific application/event. This is done by having a 1-to-1 mapping of our Thing's registration id or email with response from the SSO Identity Provider.
For SAML 2 SSO, we require that the client support the following:
- SAML Requests sent from Grip to any Identity Provider is not encrypted
- All signatures are signed with rsa-sha256 hashing
- And provide us with:
- A SAML2 metadata URL or a metadata file
- The SAML2 IdP Issuer name
- The SAML2 IdP login url
- The SAML2 IdP logout url (optional)
- The SAML2 IdP signing and encryption certificate
For proprietary integrations, we will require documentation from the client before advising on feasibility of integration and requirements.
What features are not available when an application has SSO enabled?
Applications, and all the events within them, with SSO enabled will have the following key difference:
- Users no longer manage passwords on Grip
- Users can create Teams (if Teams is enabled) but cannot invite users to their Teams. Team members can only be added via registration, relationships or Dashboard users.
- Users cannot enable Event Signups through Grip and must come via a standard registration integration.