Please note this feature is only available for the Pro plans and is still in Beta. To access this feature, please send an email to support@rentman.io.
Why enforcing SSO is useful
SSO offers an added layer of security. Enforcing SSO enhances security and data protection by ensuring that login authentication is carried out exclusively through trusted providers.
By enforcing SSO for specific user roles, you ensure that the users with that particular user role can only log in using your organization's SSO. Therefore, you also enforce the same authentication level as your identity management provider, such as two-factor authentication or password rotation.
The flexible setup also allows companies to choose which user roles need enforcement while not restricting external users, like freelancers, etc, from using Rentman. By only enabling these user roles for internal people, external crew members who do not have an identity in your organization's SSO and do not need to access sensitive information can still log in.
Note: Multi-factor authentication is not handled within Rentman but can be enforced by the SSO Provider (Google, Apple, or Microsoft).
This feature does not include user provisioning. Users will still need to be added and removed from the Rentman database manually, as per the current process.
Getting started with SSO
Only power users with access to the settingsConfiguration module can enable SSO enforcement.
Since you can only enforce SSO on user roles and not individual users, you must first set up your user roles. In this article, we explain how you can set up user roles for your workspace.
To enable SSO enforcement:
- Navigate to the settings Configuration module > Account > Security
- Choose a provider.
- Add domain(s) constraints.
Rentman tip: Use a comma (,) to separate multiple domains. Domain constraints ensure secure access by permitting logins only from the trusted domains you add here. - Select desired user roles.
- Save
Mastering SSO enforcement: restrictions
When trying to enforce SSO for certain user roles, you might get the message "Users in this role do not meet domain restrictions."
Clicking on the Show button directs you to the people Crew members module where you can see a list of users who do not comply with the restrictions. In the following paragraphs, we will explain what these restrictions are and how to resolve them.
Note: If the issue for affected users is not resolved, they will not be able to login to the software.
Warning: Ensure that you do not enable SSO for your user role if you (your user in Rentman) do not meet the necessary restrictions, as this will prevent you from logging into Rentman.
1- User does not comply with the domain restrictions
This means that at least one user assigned to this role has an email address that does not match the domain rules.
For example, the domain is set to rentman.nl, but the user in this user role has a gmail.com email address.
To resolve this issue, you can either:
2- User has a local profile
Enforcing Single Sign-On (SSO) is limited to users with global profiles. Therefore, users with local profiles, who continue to log in using their username and password, cannot be assigned a user role with enforced SSO.
To resolve this issue, you can either:
-
- Assign a new user role to the user where SSO is not enforced ; or
- Have the user verify their email address so that they have a global profile. Please note that this action is irreversible.