Configuring Single Sign On (SSO) is an essential step for an organization to secure their data on ActivityInfo.
Identity, Authentication, and Authorization
All users who are have access to ActivityInfo and an ActivityInfo database are identified by an email address. **Authentication ** is the process by which a user with an email address logs into ActivityInfo, that is to say, how a person proves to ActivityInfo that they who they claim to be.
In most cases, ActivityInfo will defer to a user’s organization for authentication. If a user with an “@unhcr.org” email address, for example, tries to log in, ActivityInfo sends the user to UNHCR’s Entra ID (formerly Active Directory) to log in with their UNHCR login and second factor known to UNHCR. If the user is successful, they are redirected back to ActivityInfo with a special code that ActivityInfo can validate with UNHCR.
If the user’s organization is not known to ActivityInfo, then the user will instead choose an ActivityInfo-specific password to authenticate with ActivityInfo.
Authorization is the process of determining whether a user can view certain data or perform a given operation. Unlike Authentication, authorization is generally configured in ActivityInfo in itself.
Why SSO is important
Authenticating users through their organization’s identity provider has a number of important advantages over ActivityInfo-specific passwords:
- Users are more likely to select weak passwords for extra applications, compared to their work account. (Even when complexity rules are applied)
- You can enforce two-factor authentication (2FA) or multi-factor authentication (MFA) where appropriate
- When employees leave the organization, they automatically lose access to ActivityInfo databases
- Your organization has more information about the account that enables better detection of account take over attacks. Microsoft Entra or Google Workspace can detect suspicious logins on the basis of a user's duty station, their activity on other applications, and other rules that your organization defines.
Email domain policies
In ActivityInfo, an email domain policy maps an email domain like “@unhcr.org” or “@example.gov” to the corresponding organization’s directory, such as Microsoft Entra ID (formerly Active Directory) or Google Workspace.
These policies require that a user with a specific email domain logs in via their organization’s identity provider. Users with a matching email address domain are not permitted to authentication with a password, or via another identity provider.
To secure your organization’s access to ActivityInfo, it is important to ensure that a domain policy is place for all of your organization’s domains. Contact support@activityinfo.org to begin the process.