iMIS Power Suite - SSO Premium

iMIS SSO Premium: FAQ

Review the following FAQ related to iMIS SSO Premium.

What is OpenID Connect (OIDC)?

OpenID Connect is a compatible layer on top of OAuth2. Most systems that support OAuth2 can support OpenID Connect with minimal changes. OpenID Connect defines a /userinfo endpoint which facilitates the transfer of user profile information in a standardized way.

Important! OpenID Connect and OpenID Authentication 1.0/2.0 are not the same. The former is the newer specification built on top of OAuth 2, and the latter is a much older, unsupported version of "OpenID" with a different protocol / specification.

Where can I find my OpenID Connect discovery document?

The OpenID Connect Discovery document is always located at https://<Your-SSO-Domain>/.well-known/openid-configuration

The SSO domain is the domain which you created a DNS CNAME record for during your iMIS SSO onboarding.

What is an identity mode?

You configure a Client Application that iMIS SSO Premium uses to determine the currently signed in user.

Can I use On Behalf Of with iMIS SSO Premium?

No, On Behalf Of does not work with the iMIS SSO Premium. Even if you impersonate someone in iMIS using the On Behalf Of feature, when you use the iMIS SSO, it will send the original user's information to the third party (as opposed to the "on behalf of" user).

Does iMIS SSO Premium support single sign out?

iMIS SSO Premium is a passthrough application, so no user sessions are stored. Therefore, this application specifically does not support single logout; however, you can set up a single logout endpoint from iMIS, which can also take the user to another connected application or directory to also sign the user out there.

See Enabling Single Logout (SLO).

What is the Reauthorization Grace Period setting?

The OAuth2 protocol dictates that the first time a user signs in to a particular third party application, the user must be shown a consent screen that tells the user what information of theirs is being sent to the third party.

The Reauthorization Grace Period is the period of time for which the user's consent decision is remembered (after which, the user will need to re-consent). The minimum value is 2 months. The maximum value is 120 months (10 years).

Refer to What is Admin Consent? for additional information.

Can the Reauthorization Grace Period be different per integration?

No, the Reauthorization Grace Period setting is system-wide.

What is Admin Consent?

For some internal integrations, it may be preferable to have an administrator automatically grant consent on behalf of all users in your organization.

To grant admin consent, click Edit next to an integration, and click Grant Admin Consent at the top of the page.

Granting admin consent means that users will not see the Allow/Deny consent screen when signing in to this app for the first time. Granting admin consent also means that the Reauthorization Grace Period setting is ignored.

Can I revoke or reverse admin consent?

No. Once Admin Consent has been granted, it cannot be reversed. If Admin Consent must be revoked, you will need to delete and then create a new, separate app connection, which will also mean updating the Client ID and Client Secret within the destination app.

Do the Create Account and Forgot Password links work with UAM?

Yes. You can use the Create Account and Forgot Password fields to link to the pages on your website where UAM is installed.

Can I use iMIS and Forms Auth at the same time?

No. These settings are mutually exclusive. Either the iMIS Client Application mode or On-Premise / Forms Authentication mode must be used.

Can I use the RiSE sign in page instead of the custom / branded one?

Yes. In order to use your existing RiSE sign in page, you must configure iMIS SSO Premium product to use iMIS EMS identity settings.

On-premise / Forms Authentication mode is not supported with a RiSE sign in page.

Can I use iMIS SSO branding or custom Create Account/Forgot Password links with the RiSE sign-in page?

No. The Create Account, Forgot Password, and custom branding settings are not used if the iMIS identity mode/RiSE sign in page is used. These settings only apply to On-premise / Forms Authentication identity mode. To use custom branding, you must customize the RiSE login page, or create a new RiSE login page that is specifically used for iMIS SSO Premium.

To facilitate app-specific customizations, the ClientId is passed as a querystring parameter to the RiSE login page. This allows you to check the ClientId using Javascript and only show certain elements for certain SSO connections.

What happens if the user tries to go directly to the third party website or app?

If the user is not already signed in to iMIS, the user will be prompted to sign in, and will then be immediately taken back to the third party. If the user is already signed in, the user will be automatically signed in and taken back to the third party. This process is invisible to the user.

Can I disable a single client application/connection individually?

No, currently the only way to disable a single connection is to delete and recreate it. You will be issued a new Client ID and Client Secret, and you will have to set up the connection again with the third party.

Can I disable the entire SSO site (maintenance mode)?

Yes. On the System Settings page, there is a Maintenance Mode switch that you can enable which will cease all SSO connections and display a maintenance message to any users that attempt to use the SSO.

If a user tries to access a specific page, will they be returned to that page?

This depends on the OpenID Connect implementation at the third party. It is their responsibility to implement this functionality. A number of options exist for making this work, including encoding the "Return To" path in the state parameter, or storing the "Return To" path in a cookie or session variable.

What profile data is sent over?

All profile data that is sent over is fully customizable by the customer, and is driven by a query. Whichever fields are exposed in the query are sent to the third party via the /userinfo endpoint. The only data that is required to be sent to the third party application is the iMIS username, which depending on the customer's implementation may also be the user's primary email address.

Can I change the profile query that is used for each app/integration?

Yes. The profile IQA which drives the user's profile information that is sent to the third party is customizable on a per-integration basis. So the profile data that you send to your LMS vendor can be different from the profile data you send to your event vendor.