Single sign-on

Snow Atlas provides Single Sign On (SSO) functionality using OpenID Connect (OIDC).

Description

To enable single sign-on, you must add a provider to Snow Atlas. You can only have one provider enabled at a time.

The configuration requirements for single sign-on in Snow Atlas depend on what provider you select. For information on using your selected provider with Snow Atlas, see the relevant information for that provider:

If you cannot select the provider that you want to use in Snow Atlas, contact Snow Software to discuss your requirements.

Multi Factor Authentication

Multi Factor Authentication (MFA) is configured directly in your provider. For more information, refer to the relevant documentation available from your selected provider.

User provisioning

Users who are added to a Snow Atlas tenant receive an invitation email which also contains the domain for the tenant.

If you enable User Provisioning on the SSO provider, when users sign in for the first time, they are prompted to enter the domain. On successful sign in, the user's account in Snow Atlas is provisioned with an email from the email claim on the SSO provider account.

Users are provisioned without roles assigned. For more information on how to assign roles to users, see Manage roles.

To limit which users in your organization can be provisioned when User provisioning is enabled, restrict access to the application registration in your selected SSO provider.

If User Provisioning is disabled on the SSO provider, when users sign in for the first time, they might not be prompted to enter the domain, but the email address that they enter must match the email that was used when the user was added to Snow Atlas. After the initial successful sign in, users are matched on the provider user ID instead of email.

Audit log

Sign-in and sign-out operations as well as modifications to your configured providers are recorded in the audit log for the relevant tenant. To view the audit log, select Snow Atlas settings and then select Audit log.

Disable single sign-on

If you revert to password based authentication from single sign-on, this may cause sign-in issues for users who are added after single sign-on is enabled.

When single sign-on is disabled, such users do not have credentials set in Snow Atlas that they can use instead. You must then send an invitation to each user provisioned under single sign-on, to invite them to set a password for their account. For more information on inviting users, see Manage users.

If you want to disable single sign-on and revert to password based authentication, we recommend that you contact Snow Software Support.

Erroneous single sign-on configuration

If your SSO configuration is incorrect, you may be locked out of your tenant on Snow Atlas. If you are locked out of your tenant, contact Snow Software Support. Snow Software never asks for your credentials. Do not give your password or secrets to anyone.

To reduce the risk of being locked out of your tenant on Snow Atlas, use the correct consent flow that corresponds to your provider permissions.