Your InnovationOS is the single source of truth for everything innovation. It is your home for innovation. It is thus important that you bring everyone on board. Read more on how to do it.
Read here more about:
1. Invite new users with local accounts
2. Authenticate and create new users with SSO
Invite new users with local accounts
To invite users individually, click on your username in the left bottom corner [1], and then go to the Organization Settings [2] or directly to Users & Invitations.
When you enter the tab "Users & Invitations" in your organization settings [1], you will find first a list of all users of your system [2].
To invite a user, find the button at the bottom right page of the screen [3]. By clicking "Invite User", a pop-up opens where you can enter the email address, the workspace(s) you want to invite the user to, and the role(s) you want to give to the user. Once done, click Invite user [5].
Please note that an invitation is valid for 7 days.
Please note that you can at max assign 5 user roles per workspace.
Please note that after a user has accepted the invite and logged in to the system for the first time, the user will get access to all public workspaces with the default role assigned. That also means that you only need to add a user to one public workspace during the invitation and only if he/she is not also invited to a private workspace or if you want to provide a different than the default role.
To see the status of the invitations, navigate to the "Invitations" tab [6] next to the "Users" tab [2]. Here, you will find an overview of all invited users (with a pending or expired invitation). The list contains the email address, invitation date, status, and a deletion action.
If you - as a Workspace Administrator - want to correct the role assignment later, navigate to the respective workspace settings and adjust the role given. Also, if you want to make a user an organization admin, you can do this after the user has logged in the first time.
Please note that the "Invite User" button does not appear when you have SSO enabled. Via SSO, every authenticated user from your active directory can directly log in to the system with their company credentials.
If you want to learn more about user management in general, please read this article.
Authenticate and create new users with SSO
You can also invite users when you activate SSO. Basically, with SSO, you do not need (and you also will not find the option) to invite users manually from the "Users & Invitations" tab.
When activated, you can only share the link to the system, and the user will get access with his/her corporate credentials.
To activate Single-Sign-On (SSO), navigate to the respective page in the organization settings page. You can configure it yourself by defining a Title for your IDP, a Label for SSO Log in Button, IDP fields (e.g., email, last_name, first_name) and the respective mapping to the ITONICS user attributes (e.g., Email, Last Name, First name).
To complete the setup, add the metadata (bottom left side), click Enable SSO, and choose if you also want to allow Default Login with standard login credentials. Hit Apply Changes on the bottom right side to save your configurations.
You can add up to three IDPs via +Add IDP.
Now, all users can log in via the button Log in with SSO on the login page. When you land on the ITONICS Login Page, click on the button Log in with SSO. You will be redirected to your SAML Identity Provider (e.g., Active Directory Federation Services, Azure ADFS or OneLogin. Most SAML Identity Providers are compatible). You will be asked to authenticate with your credentials at the Identity Provider. The defined SAML token is sent back to ITONICS. The SAML data is verified by ITONICS and if successful, you are authenticated. When you complete this process for the first time, the system creates a user account in the ITONICS user management, assigns the role Member, and imports the User Attributes E-Mail, Last Name, and First Name.
When using SSO, all users are automatically redirected to a public workspace after logging in with SSO (default). If you have several public workspaces, one of the public workspaces is used as the default, and the users can jump between the workspaces after logging in.
If required, you would have to add the users to private workspaces manually after their first login.
Activating SSO
Integrating SSO can be performed fully self-managed. Yet, we recommend getting your IT department involved.
Firstly, SAML (Security Assertion Markup Language) needs to be set up. SAML is an open standard used to transfer authentication data between two parties - the identity provider (IDP) and the service provider (SP). While the IDP refers to a system entity that creates, manages, and maintains identity information and provides user authentication as a service, the SP is a system entity that receives and accepts authentication information from the IDP.
Go to Settings > SSO. Execute the following configuration steps:-
- Title & Label: Set a Title for your IDP and define the Label for the SSO Log in Button. This Label will be displayed on the Login Page. (1)
- Attribute Mapping: Map the attributes from your Identity Provider with the User Attributes in ITONICS. Currently, only Email, Last Name and First Name can be mapped. Soon also other attributes will follow. (2)
- Metadata Configuration: Choose the Metadata Configuration Type and upload a Metadata URL or a Metadata XML File Content. (3) You get the Metadata from your Active Directory. For instance, if you use Azure you can retrieve the Metadata from the SAML Certificates section in the respective Enterprise Application. The URL should look as follows: https://login.microsoftonline.com/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml?appid={app-id}.
- Save the applied configuration (4)
- Based on your applied configuration – the IDP Configuration Information are generated (5)
- Your IT Team has to import the metadata to the Active Directory Federation Services (ADFS).
- After your team has imported the metadata to the ADFS, you need to enable SSO via the slider in the bottom right corner. (6)
- Once your configuration is finished, hit the Apply changes button to activate SSO for your Organization (7)
- You can also decide if you still want to allow Default Login with standard login credentials. (8) SSO needs to enabled first to activate the toggle.
- If you want to add another IDP you can do so by clicking on the +Add IDP button. (9) You can add up to three IDPs.
-
For Azure users:
- Multiple Microsoft Entra IDs can be connected as separate IDPs if required.
- Each Entra ID requires a unique Metadata URL.
- A distinct login button will be displayed for each Entra ID.
-
Changing a user's role
Once you have invited a user, you can still further change the roles per workspace or make any user the admin of your Innovation OS .
To change a role into a system admin role on the organizational level, navigate to the tab "Users & Invitations" on the organizational settings page. Find the user that you want to make an application administrator, click on the pen icon, and assign the admin role.
If you want to change a user's specific role in a workspace, navigate to the workspace tab on the organizational settings page. Here, you will find all your workspaces. Find the respective workspace, click the pen icon, and you will land on the workspace-specific settings page.
Navigate to the Users tab, search for the respective user, and click the pen icon. Now, you can assign him/her another role.