3️⃣ Inviting Users, SSO, and Managing User Roles

Your InnovationOS is the single source of truth for everything innovation. It is your home for innovation. It is thus important that you bring everyone on board. Read more on how to do it.

Read here more about:

1. Invite new users with local accounts

2. Authenticate and create new users with SSO

3. Activating SSO

4. Changing a user's role

Invite new users with local accounts

To invite users individually, click on your username in the left bottom corner [1], and then go to the Organization Settings [2] or directly to Users & Invitations

Invite new users with local accounts

When you enter the tab "Users & Invitations" in your organization settings, you will find first a list of all users of your system.

To invite new users, navigate to the Invitations tab. Here, you will find an overview of all invited users (with a pending or expired invitation). The list contains the email address, invitation date, status, and a deletion action.
Invite new users with local accounts, invitation

Please note that an invitation is valid for 7 days.

To invite a user, find the button at the bottom right page of the screen. By clicking "Invite User", a pop-up opens where you can enter the email address and select the private workspaces to which the user should be added. For public workspaces, they will automatically get access.

Please note that the role of the user per workspace needs to be adjusted after he/she has logged in the first time. Also, if you want to make him/her an organization admin, you need to do this after the user has logged in. 

Please note that the "Invite User" button does not appear when you have SSO enabled. Via SSO, every authenticated user from your active directory can directly log in to the system with their company credentials.

If you want to learn more about user management in general, please read this article.

Authenticate and create new users with SSO

You can also invite users when you activate SSO. Basically with SSO, you do not need (and you also will not find the option) to invite users manually from the "Users & Invitations" tab. 

When activated, you can only share the link to the system, and the user will get access with his/her corporate credentials. 

To activate Single-Sign-On (SSO), navigate to the respective page in the organization settings page. You can configure it yourself by defining the IDP fields (e.g., email, last_name, first_name) and mapping them to the ITONICS user attributes (e.g., email, Last Name, First name).

To complete the setup, add the metadata (bottom left side), click Enable SSO, and Update on the bottom right side.

Authenticate and create new users with SSO

Now, all users can log in via the button Sign in with SAML on the login page. When you land on the ITONICS Login Page, click on the button Sign in with SAML. You will be redirected to your SAML Identity Provider (e.g., Active Directory Federation Services, Azure ADFS or OneLogin. Most SAML Identity Providers are compatible). You will be asked to authenticate with your credentials at the Identity Provider. The defined SAML token is sent back to ITONICS. The SAML data is verified by ITONICS and if successful, you are authenticated. When you complete this process for the first time, the system creates a user account in the ITONICS user management, assigns the role Regular User, and imports the User Attributes E-Mail, Last Name, and First Name.

When using SSO, all users are automatically redirected to a public workspace after logging in with SSO (default). If you have several public workspaces, one of the public workspaces is used as the default, and the users can jump between the workspaces after logging in.

If required, you would have to add the users to private workspaces manually after their first login.

Activating SSO

Integrating SSO can be performed fully self-managed. We recommend getting your IT department involved.

Firstly, SAML (Security Assertion Markup Language) needs to be set up. SAML is an open standard used to transfer authentication data between two parties - the identity provider (IdP) and the service provider (SP). While the IdP refers to a system entity that creates, manages, and maintains identity information and provides user authentication as a service, the SP is a system entity that receives and accepts authentication information from the IdP.

Go to Settings > SSO. In the SSO Configuration Page you need to execute two configuration steps: 
    • Attribute Mapping: Map the attributes from your Identity Provider with the User Attributes in ITONICS. Currently, only Email, Last Name and First Name can be mapped. Soon also other attributes will follow. (1) 
    • Metadata Configuration: Choose the Metadata Configuration Type and upload a Metadata URL or a Metadata XML File Content. (2)
    • Save the applied configuration (3)

SSO-first step

  • Based on your applied configuration – the IDP Configuration Information are generated (4)
    • Your IT Team has to import the metadata to the Active Directory Federation Services (ADFS).
  • After your team has imported the metadata to the ADFS, you need to enable SSO via the slider in the bottom right corner. (5) 

Activating SSO

Changing a user's role

Once you have invited a user, you can give them a more powerful role than the default viewer role for the workspace they have been invited to and the default member role on the organizational level.

To change a role into a system admin role on the organizational level, navigate to the tab "Users & Invitations" on the organizational settings page. Find the user that you want to make an application administrator, click on the pen icon, and assign the admin role. 

Changing a user's role

If you want to change a user's specific role in a workspace, navigate to the workspace tab on the organizational settings page. Here, you will find all your workspaces. Find the respective workspace, click the pen icon, and you will land on the workspace-specific settings page

Changing a user's role

Navigate to the Users tab, search for the respective user, and click the pen icon. Now, you can assign him/her another role.