How SSO Works for Account Management
By default, EpicLink uses an invitation-based account management model. Administrators create user accounts by sending invitations, and users complete registration by setting their own password.
When Single Sign-On (SSO) is enabled, user access is managed through your Identity Provider (IdP), such as Azure AD or Okta, rather than through individual account invitations.
SSO Account Provisioning
After SSO is configured and Group Role Mapping is established, users can access EpicLink by authenticating through the configured Identity Provider.
During the user's first successful SSO login:
-
EpicLink automatically creates an SSO user account for the authenticated user.
-
The user's access level is determined by the configured Group Role Mapping.
-
If no matching group rule is found, the system applies the configured Default Policy or denies access if Deny access if no group rule matches is enabled.
As a result, administrators do not need to invite users individually through the Account Management page. Instead, access is controlled by managing users and groups within the Identity Provider.
Access Management with SSO
In a traditional deployment:
-
An administrator sends an invitation.
-
The user completes registration.
-
The administrator manually assigns permissions.
In an SSO-enabled deployment:
-
The administrator configures SSO and role mappings.
-
Users are assigned to groups or roles in Azure AD or Okta.
-
Users authenticate through SSO.
-
EpicLink automatically provisions the user account and assigns permissions based on the configured mappings.
This approach centralizes user lifecycle management within the organization's Identity Provider and reduces administrative overhead.
Group Role Mapping and Default Policy
Group Role Mapping determines which EpicLink access policy is assigned to users based on their Identity Provider group or role membership.
If a user does not match a configured group mapping, the Default Policy determines the access level assigned to the user. Alternatively, administrators can enable Deny access if no group rule matches to prevent access for unmapped users.
User Deactivation
User access can be controlled directly from the Identity Provider by removing users from assigned groups or disabling their Identity Provider accounts.
Additionally, the Inactive Account Deletion setting can automatically disable SSO user accounts in EpicLink after a specified period of inactivity.
SSO vs. Invitation-Based Access
|
Invitation-Based Access |
SSO-Based Access |
|---|---|
|
Users are invited individually by an administrator. |
Users authenticate through Azure AD or Okta. |
|
Users create and manage a EpicLink password. |
Authentication is managed by the Identity Provider. |
|
Permissions are assigned directly within EpicLink. |
Permissions are assigned through Group Role Mapping. |
|
User onboarding is managed per user. |
User onboarding is managed through Identity Provider groups and roles. |
|
Administrators maintain user accounts individually. |
Administrators manage access centrally through the Identity Provider. |
Configuring SSO Authentication with Okta and Azure AD
-
Click the SSO Settings tab in the Account Management screen.
-
The SSO Settings page allows administrators to configure Single Sign-On (SSO) authentication for the platform. Currently, the system supports:
-
Okta
-
Azure AD
-
Please refer the following pages for detailed information about both these configurations.