The PRISM configuration for SSO consists of two parts.  The first part must be performed by the IT department.  It consists of configuring the identity provider.  The second part, much easier, consist of configuring PRISM SSO settings.  This configuration, can be done within PRISM.  The scope of this help is for configuring PRISM SSO settings.

Note:  configuring the identity provider contains security information that should not be shared in a public-facing web portal.  This information will be shared with your identity provider administrator directly.

Step 1: Create a PRISM SSO Administrator

The SSO administrators are essentially Monitor users of the Jurisdiction. They will be called as SSO administrator if they are assigned the security action of "SSO Center". Go to Configure->User/Groups->Monitor(Security Policy). This is described shown in the image given below.

Step 2: Verify the SSO Administrator has SSO rights.  

Be sure to log out and log back in if you assigned the security action to yourself.  You should see the new configuration setting.

Step 3: SSO User Enrollment

PRISM will send invitations (as email) to monitors.  the invitation has a link that will perform the SSO enrollment.  Only the SSO Administrator can perform this operation.  There are two ways to perform this operation:

3a: Sending Enrollment invitation from SSO center

From the SSO Center, identify the monitor and click the "Invite" link

3b: Sending Enrollment invitation while adding a monitor

An invitation can also be sent while adding a new monitor to PRISM.  Note the "Invite for SSO" check box.

Enrollment email sample

The following is a sample of the email that is sent to the monitor for SSO enrollment

The enrollment process is driven by the Identity Provider of the Client/Jurisdiction. The steps usually include: entering credentials in the Identity Providers Authentication portal.

Enrollment Completion

Once the authentication is complete the user is redirected to Prism on the following screen:

4: SSO User Approval

The process of approval enables the SSO administrator to see the enrollment list of SSO users. PRISM can automatically approve a user in some specific conditions (given in Rules and Business Logic section). For the other cases, manual approval is required. From the following screen, the SSO administrator can do the approvals of the enrollments:

Auto SSO User Approval

The automatic approvals are done by PRISM in specific conditions. A SSO user is eligible for auto approval, if during the enrollment process, the users email address (in identity provider of jurisdiction) matches with the email address on which the invite was sent from PRISM.

SSO Approval Completion Email Samples

On the the completion of approval, Prism triggers following emails:

This email is sent to the SSO user who has been approved for the single sign on.

This email is sent to the SSO administrator on approval and auto approval.