Single sign-on FAQ

Review the single sign-on (SSO) frequently asked questions to find out more information about implementing SSO in IBM® Envizi ESG Suite.

Question: Does Envizi ESG Suite support SAML 2.0?

Answer: Yes, this is the only method used by Envizi ESG Suite since 2023.

If you have SSO with Envizi ESG Suite that uses a method other than SAML 2.0, is still supported for your particular implementation.

Question: Does the Envizi ESG Suite support WebAuthN or OpenID?

Answer: No.

Question: Does SAML 2.0 SSO in Envizi ESG Suite support metadata exchange?

Answer: Yes.

Question: Do we need to set up users in Envizi ESG Suite if they are logging in by using SSO?

Answer: If just-in-time provisioning is not configured, users must be set up in Envizi ESG Suite with the same user name that they use to authenticate with their identity provider. The format of the user name must be based on email address convention. When SSO is enabled, those users by default will be set as SSO users. If just-in-time provisioning is configured, users will not need to be set up in Envizi ESG Suite by your system administrator.

Question: Are there multiple user access levels and roles in Envizi ESG Suite?

Answer: There are multiple user access levels and roles defined in Envizi ESG Suite. These are manually configured or by using implementation consultants with a setup template. For more information, see Setting up users.

Question: What happens if a user’s email address changes?

Answer: In most cases, the email address is used as the user name in SSO. When an email address is changed it will be treated as a new user.

Question: How do system administrators react in both timing and action to a user being terminated on the customer side?

Answer: If a user is terminated from your organization and therefore removed from your identity provider, they will not be able to log in to Envizi ESG Suite as they will not be authenticated through your identity provider.

If a user is not terminated from your organization but you no longer wish them to login to Envizi ESG Suite, your system administrator needs to either delete the user or disable the user from Envizi ESG Suite manually (for the latter option, you will need to check with IBM that your organization has been configured in Envizi ESG Suite to prevent disabled SSO users in Envizi ESG Suite from logging in). For more information , see Managing user logins.

Question: Does Envizi ESG Suite support regular user name and password logins after SSO is enabled?

Answer: Yes, after SSO is enabled for your organization your system administrator can manage whether a user is SSO or Non SSO.

Question: Does Envizi ESG Suite support just-in-time provisioning?

Answer: Just-in-time provisioning can be enabled as part of your SSO setup for limited types of users. The only user access levels and roles supported through just-in-time provisioning are organization level system administration, general and view only users.

Question: Does IBM provide an Envizi ESG Suite provisioning test or development environment?

Answer: No.

Question: Does Envizi ESG Suite support SCIM provisioning?

Answer: No, SCIM is not supported at this time. Only Just-in-time provisioning is supported.

Question: What certificates are required for the SAML authentication?

Answer: Identity providers must issue and include X509 certificate for signing. Encryption certificates are optional in the assertion.

Question: Is there support for users from more than one identity provider authenticating with SSO to a single organization in Envizi ESG Suite?

Answer: Yes, you set up a SSO entry for each identity provider. The SP metadata needs to be generated for each SSO setup and provided to each identity provider. An IDP metadata file would then need to be provided and uploaded for each SSO setup. Each SSO setup will also require the domain to be specified so that based on the domain of the user’s login, the login will be directed to authenticate with the appropriate identity provider.

Question: Do we need or get a custom URL as part of the SSO setup?

Answer: No. This was the case in the past. However, custom URLs are no longer offered or required as part of the Envizi ESG Suite SAML 2.0 SSO solution.

Question: What do I do if my IDP certificate is due to expire?

Answer: Provide new IDP metadata and update the SSO setup with it.

Question: How do I set up Okta IDP for SSO?

Answer: For more information, refer to Setting up Okta Single Sign On on ServiceNow instances.