Overview
Geoforce supports Single Sign-On (SSO) to provide secure and seamless access for your users.
With SSO, your organization can:
- Use your existing identity provider (IdP) for authentication
- Enforce your own security policies (e.g., MFA, password rules)
- Provide users with a streamlined login experience
Geoforce uses Okta internally and supports federation with your organization’s identity provider.
Supported Configurations
Identity Providers (IdP)
You can use any identity provider that supports:
- SAML 2.0
- OpenID Connect (OIDC)
Login Flows Supported
- ✅ SP-initiated (login from Geoforce)
- ✅ IdP-initiated (login from your identity portal)
Role Management
- Roles and permissions are managed within Geoforce
- IdP roles/groups are not used for authorization
How It Works
- User attempts to access Track & Trace
- User is redirected to your IdP
- User authenticates via your system
- Authentication response is sent to Geoforce (Okta)
- User is granted access to the application
Integration Options
Option A: SAML 2.0 (Recommended)
Best for most enterprise environments.
Key Features:
- Assertion-based authentication
- Supports both login flows
- Widely compatible with enterprise IdPs
Option B: OpenID Connect (OIDC)
Key Features:
- Token-based authentication
- OAuth 2.0 compatible
- Ideal for modern identity platforms
Required Information
For SAML Setup
- ACS URL (Assertion Consumer Service URL)
- Entity ID / Audience URI
- Metadata (URL or XML file)
- Relay State (if applicable)
For OIDC Setup
- Redirect URI(s)
- Client ID
- Client Secret
- Authorization Endpoint
- Token Endpoint
Required User Attributes
| Attribute | Description | Required |
|---|---|---|
| Unique user identifier | Yes | |
| firstName | User first name | Recommended |
| lastName | User last name | Recommended |
Important Notes:
- Email must match an existing Geoforce user account
- Attribute names can vary but must be mapped correctly
User Management
User Provisioning
- Users must exist in Geoforce before logging in
- Users can be:
- Created manually
- Provisioned via SCIM (optional)
Role Assignment
- Managed only within Geoforce
- Not controlled via IdP
Security Responsibilities
Your Organization (IdP)
- Enforce MFA
- Manage password policies
- Control user lifecycle (enable/disable users)
Geoforce
- Validates authentication tokens/assertions
- Manages application sessions
- Enforces role-based access
Setup Process
Step 1: Start Integration
Contact Geoforce Support and provide:
- Protocol (SAML or OIDC)
- Your IdP (Okta, Azure AD, Ping, etc.)
Step 2: Configure Your IdP
For SAML:
- Create a SAML application
- Enter ACS URL and Entity ID
- Configure attribute mappings
- Export metadata
For OIDC:
- Create an OIDC application
- Configure redirect URIs
- Capture client credentials
- Set scopes (openid, profile, email)
Step 3: Configure Geoforce
Provide:
- IdP metadata (SAML) or endpoints (OIDC)
- Certificates or signing keys
- Attribute mappings
Step 4: Test
Validate:
- SP-initiated login
- IdP-initiated login
- Correct user identity
- Proper role access
Step 5: Go Live
- Enable SSO
- Notify users
- Optionally disable password login
Troubleshooting
Common Issues
User cannot log in
- Confirm user exists in Geoforce
- Verify email matches exactly
Invalid token/assertion
- Check certificates and signatures
- Validate audience/issuer values
Redirect loop
- Verify ACS/redirect URIs
- Check cookie/session settings
User has no access
- Confirm role assignment in Geoforce
Best Practices
- Enforce MFA at your IdP
- Use least-privilege access
- Test with a small user group first
- Monitor login activity during rollout
- Keep a non-SSO “break-glass” admin account
Frequently Asked Questions
Can we use any IdP?
Yes, as long as it supports SAML 2.0 or OIDC.
Are roles managed via SSO?
No. Roles are managed within Geoforce.
Is automatic user provisioning supported?
Users must exist in Geoforce prior to login.
Can we use multiple IdPs?
Depends on your configuration—contact support.
Support
If you need help, contact Geoforce Support with:
- Tenant name
- IdP type
- Error screenshots/logs
Comments
0 comments
Article is closed for comments.