CivilPro Authentication and SSO For Admins

Supported Authentication Methods

CivilPro supports the following methods of authentication:

• Civil Pro Identity – CivilPro’s own internal username/password
• Google Identity
• Microsoft Identity (azure AD)
• Microsoft Identity (office 365)

CivilPro uses Google Firebase as the broker for all authentication methods except CivilPro Identity. SSO is for authentication only, all authorization is managed by the CivilPro application internally.

NOTE: To use Microsoft Azure AD for single sign on, your system administrator must set the CivilPro application up as an authorized application in your AD account. Contact us for instructions

Controlling Authentication Methods

The authentication methods available to users can be controlled by subscription settings. By default, all authentication methods are enabled. In addition to controlling individual methods, it is possible to disable CivilPro authentication only for users with SSO, and it is also possible to disable CivilPro authentication for specific users in the Users settings.

To control authentication in the desktop access Subscription Operations => Settings => Cross Project Settings

• Allow CivilPro Identity – allow users to log on with a CivilPro registered username and password
• Microsoft Identity – allow users to log on with an Office 365 or Azure AD Identity
• Google Identity – allow users to log on with Google Identity
• Disable CivilPro Identity for users with SSO configured – when enabled, user accounts that have SSO registered against them cannot log on using CivilPro Identity. This is useful for reducing the exposure for accounts that may have low quality passwords.
• Prevent users modifying CP Identity Status – CivilPro supports a switch in the user register that disables the CivilPro identity on a per-user basis. This is useful (for example) where you may enforce SSO for your internal resources, but allow CivilPro Identity for external collaborators that have limited access to data.

How SSO is connected to CivilPro roles

SSO in civil pro uses Google’s Firebase as a broker for authentication. All authorization is managed by CivilPro. For this reason there will always be a CivilPro user account for every user, even if they use SSO.

There are three ways SSO can be configured for a user

1. Using the Invitiation process. If the user accepts the invitation using SSO, the account will be configured for SSO only
2. A subscription Administrator creates the account with a CivilPro Identity where the username matches the username expected from the SSO authentication (e.g. johnd@myco.com). When the user authenticates using their SSO identity, the automatching feature will associate the SSO identity with the user providing the pre-requisites are satisfied.
3. A subscription administrator creates the account with a CivilPro Identity. The user logs on with the CP Id and users the User Detail => Profile page to add SSO to their own account. SSO can also be removed this way unless prevented by subscription settings.

SSO Identity Automatching

When a user logs in with SSO, the following process occurs:

1. The SSO provider’s login is launched
2. Upon successful authentication, the unique ID is returned to CivilPro
3. CivilPro attempts to match the Firebase ID against the Firebase IDs already connected to CivilPro user accounts. If successful, the user is authorised and logged in
4. If step 3 was unsuccessful, CivilPro retrieves the email address from the SSO Identity. If this can be uniquely matched to a single user, then the Firebase Id is saved against the user and the user is authorised and logged in.
5. If step 4 was unsuccessful, it is repeated using the email field for the user instead of the username field.