Configuring Single Sign-On (SSO)

Diligent is updating the way Single Sign-On (SSO) works with the Diligent One Platform. These updates, summarized below, are scheduled to take place on January 06, 2025.

Important

Familiarize with the upcoming SSO updates and make any necessary preparations in your organization.

Both the new and the legacy SSO Help topics are available below. See SSO Help topics.

Updates to Single Sign-On

  • New sign-in experience The Diligent One Platform now uses OIDC (OpenID Connect) for authentication, a widely accepted security standard that ensures the platform adheres to modern and secure best practices. As part of this update, the sign in page address is updated to oidc.highbond.com (live the week of January 06, 2025), replacing accounts.highbond.com.

  • Multi SSO configuration Customers can now configure more than one Single Sign-On provider within one organization.

  • Switching between SSO and non-SSO organizations If you are switching between an SSO-enabled and a non-SSO organization, you will be prompted to enter your Diligent One credentials. If you don’t have this credential, then you must set up a password by selecting the Forgot password? link. If you would like to authenticate using SSO for all your orgs, inform your system administrators to configure SSO for the non-SSO organizations. For more information, see SSO Help topics.

  • System administrator's sign-in experience for SSO orgs System administrators can now sign in to SSO organizations using their Diligent One Platform email and password. This is to allow our customers to reconfigure their SSO configurations via their System Admins in the case where users cannot authenticate into their organization. System Admin can also select certain users within the org to bypass SSO.

  • Diligent One Platform no longer supports just-in-time (JIT) provisioning To align with best security standards, we no longer support just-in-time provisioning. Coordinate with your system administrator to enable external user provisioning (for example, SCIM) if you would like to automate your organization’s user provisioning process.

  • Use public certificates instead of security fingerprint While configuring a new SSO provider or updating a current one, you must enter the public certificate instead of security fingerprint. If you have configured your current SSO with fingerprint, you will notice that after the January 06, 2025 release, the fingerprint field is non-editable.

    When you configure or update SSO, enter the public certificate (including the BEGIN CERTIFICATE and END CERTIFICATE lines), which has the following format:

    -----BEGIN CERTIFICATE-----
    <certificate content here>
    -----END CERTIFICATE-----

SSO Help topics

Both the new and the legacy SSO Help topics are available below. Select the tab for the Help topic you want:

  • New SSO (2025)

  • Legacy SSO

SSO is an authentication process that allows users to access multiple applications after only signing in once. Diligent One supports SSO integration for any identity provider that adheres to the OASIS SAML 2.0 protocol.

You can set up more than one SSO provider for an organization.

Permissions

Requirements

Setting up SSO identity providers

Launchpad service provider URLs

How to log in when SSO is enabled

How to log out when SSO is enabled

What happens when you add someone to an SSO-enabled organization of Diligent One

Disabling SSO

SSO and SAML

Offboarding users who leave

Permissions

Only System Admins can configure SSO settings for their company.

Requirements

  • Your identity provider must adhere to the OASIS SAML 2.0 protocol.
  • All users of an SSO-enabled instance of Diligent One must authenticate through an identity provider.

If your users access multiple organizations

Users who authenticate through an identity provider can do so for multiple Diligent One organizations if all of these organizations belong to the same company.

To check this, look at "Customer name" in the organization settings for each organization. It must be the same in all organizations that SSO users need to access. For more information, see Updating organization settings. Alternatively, you can use the instance switcher to verify that the organizations in question are indented below the same company name. For more information, see Switching between Diligent One organizations.

If you need to change which company your instance belongs to, contact Support.

Authentication is not region-specific. Users can access Diligent One instances in multiple regions.

If your users access training organizations

Users who authenticate through an identity provider can create training organizations, which are automatically linked to the same company.

Additional users can be added to these organizations as long as they do not already belong to a different training organization with the same email. These users must set up a password to access the Diligent One training organizations by selecting the Forgot password? link on the sign in page.

If your users work for multiple companies

Users working for multiple companies can use SSO. When logging in, they are prompted to authenticate with the SSO configured for the specific company they are accessing.

If you want to use SSO and 2FA together

You can exempt users from SSO authentication, allowing them to log in using the standard process with 2FA. For more information, see Adding users to allow list to bypass SSO.

Setting up SSO identity providers

  1. Open Launchpad.
  2. From the left navigation, select Platform Settings.
  3. From Platform Settings, under Organization, select Security settings.
  4. On the Security settings page, in the Single sign-on (SSO) options section, select Set up provider.
  5. On the Single sign-on set up panel, enter the details as described in the following table:

    FieldDescription
    Customer domain

    The unique name that identifies your instance, and enables users in your company to sign in to Diligent One. The custom domain is your instance's subdomain appended with a region code.

    Note

    You can change your instance's subdomain on the Update Organization page. For more information, see Updating organization settings.

    NameEnter a name for the identity provider.
    Entity IDThe URL that identifies the identity provider issuing a SAML request. This is a URL specific to your identity provider.
    Metadata URLThe URL that Launchpad can access to obtain SSO configuration data from your identity provider. This is a URL specific to your identity provider.
    Redirect login URLThe URL of your identity provider for users in the company to sign in to Diligent One.
    Logout URLThe URL to which Diligent One will redirect the users in the company after they sign out of Diligent One.
    Public certificateThe certificate that is issued to verify the device and the user.

  6. Select Enable.

    The Single sign-on (SSO) options section displays the identity provider that you added.

Adding users to allow list to bypass SSO

When you add multiple authentication options, you can exempt users from using SSO authentication. Typically, this exemption applies to users who are not members of any identity providers. These exempted users can continue to sign in with their username and password.

Note
  • All System Admins automatically receive SSO bypass permissions.

  • If two-factor authentication (2FA) is enabled for your organization, it applies to all users, including those with permission to bypass Single Sign-On (SSO). Therefore, it’s important to review user access to ensure no one is unintentionally locked out of the platform.

  1. On the Single sign-on (SSO) options section of Security settings, select the +Add users tab next to the Users with permission to bypass SSO section.
  2. In the Users with permission to bypass SSO panel that appears, select the users whom you want to exempt from using the SSO authentication.
  3. You can use the Search field to find users.

  4. Select Add users.
  5. The users added to the list to bypass SSO appear in the Users with permission to bypass SSO section.

Removing users from allow list to bypass SSO

To remove users added to the allow list to bypass SSO, in the Users with permission to bypass SSO section, select the remove icon that appears next to the user that you want to remove.

Note

System Admins can't be removed from the allow list. All System Admins automatically receive bypass permissions.

Disabling SSO identity providers

  1. On the Security settings page, in the Single sign-on (SSO) options section, select Open details for the identity provider you want to disable.
  2. In the Single sign-on set up panel, from the dropdown menu of the Status field, select Disabled.
  3. Select Save changes.
  4. In the Confirm disabling SSO provider dialog box that appears, select Confirm.

    The SSO identity provider is marked as Disabled in the Single sign-on (SSO) options section.

  5. Note

    After disabling an SSO provider, users in your organization can no longer sign in with the provider. However, the provider's information remains saved.

Enabling a disabled SSO identity provider

  1. On the Security settings page, in the Single sign-on (SSO) options section, select Open details for the identity provider you want to enable.
  2. In the Single sign-on set up panel, from the dropdown menu of the Status field, select Enabled.
  3. Select Save changes.
  4. The SSO identity provider is marked as Enabled in the Single sign-on (SSO) options section.

Removing SSO identity providers

  1. On the Security settings page, in the Single sign-on (SSO) options section, select Open details for the identity provider you want to remove.
  2. In the Single sign-on set up panel, select Remove.
  3. In the Confirm removing SSO provider dialog box that appears, select Confirm.
  4. Note

    After you remove an SSO provider, users in your organization can no longer sign in with this SSO provider. The provider's information also gets deleted.

Launchpad service provider URLs

When configuring your SSO identity provider, you may require the following service provider URLs for Launchpad:

  • Service provider entity ID https://accounts.highbond.com/saml/metadata/your_custom_domain
  • Service provider assertion consumer URL https://accounts.highbond.com/saml/sso/consume/your_custom_domain

How to log in when SSO is enabled

There are two ways users can log in when SSO is enabled.

What happens when SSO is enabled?

When SSO is enabled, you can sign in by going to www.highbond.com, clicking Continue with SSO, and providing your custom domain.

Alternatively, you can access Diligent One using the Diligent One app link from your identity provider landing page. 

You are redirected to Diligent One via your identity provider when you access any Diligent One apps (including clicking on a link in an email sent from Diligent One).

Note
  • When SSO is enabled, you can't sign in with your email and password or change your password. However, if you are a System Admin or a user who is listed as one who can bypass SSO, you can sign in with your email and password.

  • You can't change email addresses if SSO is enabled in your organization. However, if your organization has enabled both SSO and SCIM, email addresses can be changed.

  • For an organization where only SSO is enabled, updated email addresses are treated as new accounts, preventing users from accessing information associated with their previous credentials. Therefore, for such organizations, if email addresses need to be changed, the System Admin must first disable SSO in Diligent One, update the email addresses, and then re-enable SSO.

  • For an organization where SCIM is enabled, email address changes from your identity provider are automatically reflected in Diligent One Platform.

Do I need to enter my custom domain each time I sign in?

  • If you sign in through your identity provider, you do not have to provide a custom domain each time.
  • If you sign in through Diligent One, you can access the following URL to avoid entering a custom domain each time: https://accounts.highbond.com/saml/sso?custom_domain=your-custom-domain

Signing into multiple organizations of Diligent One

If you have access to multiple organizations of Diligent One, you are brought to the organization you used most recently. If you belong to both SSO-enabled and non-SSO organizations, you must set up a password to log in to the non-SSO organization. To do so, select the Forgot password? link.

If you have access to multiple organization of Diligent One, you can easily switch between them. For more information, see Switching between Diligent One organizations.

When switching between organizations, you will be prompted for the authentication credentials of the organization you are switching into if you have not already authenticated with that organization.

How to log out when SSO is enabled

Diligent One supports SLO (Single Log-Out) using the identity provider initiated workflow. The SLO URL is:

https://accounts.highbond.com/saml/slo/your-custom-domain

How session expiry works

When a Diligent One session expires, or when you attempt to log out of Diligent One, you must first log out of your identity provider. Otherwise, you are automatically signed back in to Diligent One.

For example, if your organization's session expiry is three hours and your identity provider's session expiry is three days, you will be automatically signed in to Diligent One for three days.

For security purposes, your company should ensure that your identity provider's expiry is less than your instance's session expiry.

Note

You can change your organization's session expiry on the Update Organization page. For more information, see Updating organization settings.

What happens when you add someone to an SSO-enabled organization of Diligent One

Diligent One supports SCIM external provisioning. If your identity provider has SCIM as an option, you can provision users into the platform automatically. However, if your identity provider does not have SCIM, you must add your SSO users manually into the Diligent One organization for them to access the platform.

Subscriptions and access to Diligent One apps

The user will have no subscriptions assigned, nor access to any Diligent One apps. System Admins must assign users a role and subscription in Launchpad to ensure users have appropriate access in the instance.

Disabling SSO

If your company enables SSO, and later decides to disable it:

  • Users who did not set up a password before SSO was enabled must click Reset password on the sign in page to obtain a password. 
  • Users who set up a password before SSO was enabled can sign in with their user name and password.

SSO and SAML

Diligent One supports SSO integration for any identity provider that adheres to the OASIS SAML 2.0 protocol.

What is OASIS SAML 2.0?

SSO enables users to sign in using OASIS Security Assertion Markup Language 2.0 (SAML 2.0), a format for communicating and authenticating identities between two web applications.

OASIS SAML 2.0 involves:

  • a user requesting service
  • a service provider or application providing service (Diligent One)
  • an identity provider or repository that manages user information

For instances with SSO enabled, users are authenticated when they sign in to Diligent One using a supported SAML identity provider. If the user is not enabled in their company's SAML identity provider, the user is denied access. 

Supported workflows

Once SSO settings have been configured, the following workflows are supported: 

  • Identity provider initiated - accessing Diligent One from the identity provider landing page.
  • Service provider initiated - accessing Diligent One from the Diligent One home page.

Identity provider initiated authentication process

Service provider initiated authentication process

Offboarding users who leave

When users leave your company, your offboarding process removes them from your identity provider. The impact on users varies depending on the organizations they were associated with and the specific configurations of those organizations.

  • If users were part of only your SSO-enabled organizations, they can no longer access those organizations on Diligent One.
  • If users belonged to both your SSO-enabled organizations and other non-SSO organizations:
    • If you remove the user from your identity provider, you must ensure that the users are removed from Diligent One organization. The System Admin must offboard the users from other non-SSO organizations.
    • If you manually remove users from the SSO-enabled organizations, they can still access non-SSO instances after they reset their password.

SSO is an authentication process that allows users to access multiple applications after only signing in once. Diligent One supports SSO integration for any identity provider that adheres to the OASIS SAML 2.0 protocol.

Note

Diligent One provides limited support for SSO as other authentication scenarios present a potential security risk to companies.

Permissions

Requirements

How to enable SSO

Launchpad service provider URLs

How to log in when SSO is enabled

How to log out when SSO is enabled

What happens when you add someone to an SSO instance of Diligent One

Disabling SSO

SSO and SAML

Offboarding users who leave

Permissions

Only System Admins can configure SSO settings for their company.

Requirements

  • Your identity provider must adhere to the OASIS SAML 2.0 protocol.
  • All users of an SSO-enabled instance of Diligent One must authenticate through an identity provider.

If your users access multiple instances

Users who authenticate through an identity provider can do so for multiple Diligent One instances if all of these instances belong to the same company.

To check this, look at "Customer name" in the organization settings for each instance. It must be the same in all instances that SSO users need to access. For more information, see Updating organization settings. Alternatively, you can use the instance switcher to verify that the instances in question are indented below the same company name. For more information, see Switching between Diligent One organizations.

If you need to change which company your instance belongs to, contact Support.

Authentication is not region-specific. Users can access Diligent One instances in multiple regions.

If your users access training instances

Users who authenticate through an identity provider can create training instances, which are automatically linked to the same company.

Additional users can be added to this training instance as long as those users do not already belong to a different training instance with the same email.

If your users work for multiple companies

Users who work for multiple companies (for example, consultants) cannot use SSO.

If a Diligent One user at your company already uses an SSO-enabled instance that belongs to another company, you cannot enable SSO. To enable SSO, you must either remove that user from Diligent One at your company, or ask them to have themselves removed from the other company's Diligent One.

You cannot use SSO and 2FA together

You cannot use two-factor authentication with single sign on. If you need to use both SSO and 2FA, you should use your SSO identify provider's own 2FA ability. If SSO is enabled, Diligent One does not permit you to turn on 2FA. Likewise, if any member of your instance uses 2FA, Diligent One does not permit you to turn on SSO.

How to enable SSO

To enable SSO for Diligent One you need to perform a few tasks:

  1. Configure SSO settings in your identity provider.
  2. Enable SSO in Launchpad.
    1. Open Launchpad.
    2. Click Platform Settings > Organization.
    3. Click Manage SSO settings.
    4. Fill out the SSO fields, which are detailed below, and check Enable Single Sign On (SSO).
    5. Click Save Changes.
  3. Add users to an SSO enabled instance.

    To link Diligent One with your identity provider, you must specify the first name, last name, and email address for all users. For more information, see Methods for adding users.

Note

For detailed configuration information, search for SSO articles in Support.

SSO fields

Field Definition
Custom Domain

The unique name that identifies your instance, and enables users in your company to sign in to Diligent One. The custom domain is your instance's subdomain appended with a region code.

Note

You can change your instance's subdomain on the Update Organization page. For more information, see Updating organization settings.

Entity ID The URL that identifies the identity provider issuing a SAML request. This is a URL specific to your identity provider.
Metadata URL The URL that Launchpad can access to obtain SSO configuration data from your identity provider. This is a URL specific to your identity provider.
Redirect Login URL

The URL of your identity provider for users in the company to sign in to Diligent One.

Logout URL The URL to which Diligent One will redirect the users in the company after they sign out of Diligent One.
Security Certificate Fingerprint

The SHA-1 or SHA-256 fingerprint of the SAML certificate that can be obtained from your identity provider.

Note

When Diligent One is the service provider, the identity provider must encrypt the SAML response and you must configure the Security Certificate Fingerprint in Launchpad.

Enable Single Sign On (SSO) Enables SSO for this instance.

Launchpad service provider URLs

When configuring your SSO identity provider, you may require the following service provider URLs for Launchpad:

  • Service provider entity ID https://accounts.highbond.com/saml/metadata/your_custom_domain
  • Service provider assertion consumer URL https://accounts.highbond.com/saml/sso/consume/your_custom_domain

How to log in when SSO is enabled

There are two ways users can log in when SSO is enabled.

What happens when SSO is enabled?

When SSO is enabled, you can sign in by going to www.highbond.com, clicking Sign in to a custom domain, and providing your custom domain.

Alternatively, you can access Diligent One using the Diligent One app link from your identity provider landing page. 

You are redirected to Diligent One via your identity provider when you access any Diligent One apps (including clicking on a link in an email sent from Diligent One).

Note

Once SSO is enabled, you cannot sign in with your email and password or change your password.

Email addresses cannot be changed when SSO is enabled. However, if email addresses require changes, the System Admin needs to disable SSO in Diligent One, make the required changes to the email addresses, and re-enable SSO. Otherwise, changed emails are identified as new accounts, and users will not be able to access information from their previous credential.

Do I need to enter my custom domain each time I sign in?

  • If you sign in through your identity provider, you do not have to provide a custom domain each time.
  • If you sign in through Diligent One, you can access the following URL to avoid entering a custom domain each time: https://accounts.highbond.com/saml/sso?custom_domain=your-custom-domain

Signing into multiple instances of Diligent One

If you have access to multiple instances of Diligent One, you are brought to the instance you used most recently. You can switch instances normally. For more information, see Switching between Diligent One organizations.

How to log out when SSO is enabled

Diligent One supports SLO (Single Log-Out) using the identity provider initiated workflow. The SLO URL is:

https://accounts.highbond.com/saml/slo/your-custom-domain

How session expiry works

When a Diligent One session expires, or when you attempt to log out of Diligent One, you must first log out of your identity provider. Otherwise, you are automatically signed back in to Diligent One.

For example, if your instance's session expiry is three hours and your identity provider's session expiry is three days, you will be automatically signed in to Diligent One for three days.

For security purposes, your company should ensure that your identity provider's expiry is less than your instance's session expiry.

Note

You can change your instance's session expiry on the Update Organization page. For more information, see Updating organization settings.

What happens when you add someone to an SSO instance of Diligent One

Diligent One supports JIT (Just-in-Time) provisioning for SAML. When a user logs in for the first time, a corresponding user account with the same email is created in Diligent One.

Matching email addresses and domain accounts

Diligent determines the user's preferred identity provider and user name. The email address and domain account of each user must match. If the user's email address and domain account do not match, you must set up an alias for the user in your directory access service.

Subscriptions and access to Diligent One apps

The user will have no subscriptions assigned, nor access to any Diligent One apps. System Admins must assign users a role and subscription in Launchpad to ensure users have appropriate access in the instance.

Disabling SSO

If your company enables SSO, and later decides to disable it:

  • Users who did not set up a password before SSO was enabled must click Reset password on the sign in page to obtain a password. 
  • Users who set up a password before SSO was enabled can sign in with their user name and password.

SSO and SAML

Diligent One supports SSO integration for any identity provider that adheres to the OASIS SAML 2.0 protocol.

What is OASIS SAML 2.0?

SSO enables users to sign in using OASIS Security Assertion Markup Language 2.0 (SAML 2.0), a format for communicating and authenticating identities between two web applications.

OASIS SAML 2.0 involves:

  • a user requesting service
  • a service provider or application providing service (Diligent One)
  • an identity provider or repository that manages user information

For instances with SSO enabled, users are authenticated when they sign in to Diligent One using a supported SAML identity provider. If the user is not enabled in their company's SAML identity provider, the user is denied access. 

Supported workflows

Once SSO settings have been configured, the following workflows are supported: 

  • Identity provider initiated - accessing Diligent One from the identity provider landing page.
  • Service provider initiated - accessing Diligent One from the Diligent One home page.

Identity provider initiated authentication process

Service provider initiated authentication process

Offboarding users who leave

If a user leaves your company, your offboarding process will likely remove them from your identity provider. How exactly this affects users depends on which instances they had access to and how those instances were configured.

  • If the user was only part of your SSO-enabled instance(s), they can no longer access those instances on Diligent One.
  • If the user was part of your SSO-enabled instance(s), plus other non-SSO instances:
    • If you remove the user from your identity provider, they will not be able to access any instances of Diligent One. If they try to access a non-SSO instance, they will see the error message, “Your organization has enabled Single Sign-on, please sign in to your organization’s custom domain.”
    • If you manually remove the user from the SSO-enabled instance(s), they can still access non-SSO instances once they reset their password.