Recognize provides Single Sign-On SAML v2.0 capabilities. Companies can connect via app stores such as Azure, Okta, and AWS. Alternatively, they can set up SSO manually through the Recognize Company Admin Settings. If you need assistance implementing any of these, you can find those articles here:
- Setting up Single Sign-on (SSO) with Azure via Azure Gallery
- Setting up Single Sign-on (SSO) Using Active Directory with ADFS and SAML
To enable single sign on in Recognize, access your settings in the admin portal by going to Menu > Company Admin > Settings.
What is the Recognize "idp" page?
IDP stands for "Identity Provider". The IDP page is a landing page which presents user's with choices on how to login. The choices shown can be enabled or disabled by the company admins depending on which "identity providers" you would like to allow user's to login with. This can include: Microsoft, Google, Username/Pass, and SSO. This url is https://recognizeapp.com/<youraccount>/idp.
Some organizations will only allow one identity provider such as their Single Sign On IDP, but others may permit several. If your organization permits several identity providers, this is a great landing page to direct users to log in to Recognize.
What does Force SSO do?
If a user enter's their email on the Recognize homepage and the Force SSO setting is enabled, the user will be "forced through SSO". If the Force SSO setting is NOT enabled, then the user will be redirected to the IDP page described above.
Some companies will enable Force SSO, which keeps end users away from the IDP page, but they will train administrators on the IDP page which may contain alternate backup login mechanisms as a failsafe in case the SSO configuration were to stop working.
What is the difference between Microsoft OAuth login and SSO if I use Azure?
The difference here is mostly technical and transparent to users. For end users, ultimately the login mechanism will validate in the same way as they will be routed through Azure. However, if a user initiates login with the "Sign in with Microsoft" button which routes through the OAuth protocol, the first time they do this they will be presented with a consent screen to access their account. This gives Recognize a token to read their profile and sync their avatar image. We are unable to sync avatar images with SSO unless a separate "User sync" connection is established by an admin.