Single Sign On Frequently Asked Questions
Updated
by Fiona Cormack
Will our read-only users be impacted when enabling SSO?
No, your read-only URL link is linked to an Anonymous User profile. An Anonymous User is not an authenticated user. It is simply a link to search and download documents in Prompt. The link is typically 'pinned' on the organisation's intranet for staff to access Prompt within your network. Therefore, this user profile and link is not impacted by enabling SSO.
Does this mean we need to add all staff to a group in Azure in order to provide access to Prompt?
No, when first enabling SSO, your Azure Administrator will only be required to add existing Prompt users. Refer to the question below "How can I find out how many users are impacted by this change?" to find out how many existing users need to be added to the group within Azure.
Can we test SSO in a testing environment?
No, testing can easily be completed in Production (app.prompt.org.au). Complete the steps outlined in these articles Configuration and Provisioning and add only test users to the group to validate the feature is working.
When enabling SSO will Azure retrospectively disable Prompt users that are no longer active in Azure?
No, users must be cleaned up in Prompt first before enabling the feature to ensure those who are no longer active in Azure are not active in Prompt.
How can I find out how many users are impacted by this change?
Navigate to Reports > Under Statistics > Select User Role.
To generate the report:
1. Ensure all Departments are selected on the left hand pane.
2. Select Active and Pending Status.
3. Select all user roles EXCEPT for Anonymous User (your read-only user URL).
4. Select "Email Results To Current User" as this will email a csv file to the person requesting the report.
5. Select Generate Report.
6. Use the csv file to assist with user clean up before enabling SSO.
If Active users are no longer active in Azure, you may be required to remove permissions prior to disabling the user in Prompt.
Does this mean Admins and Prompt Admins no longer have to manage user profiles in Prompt?
No, Admins and Prompt Admins must continue to provide access rights (what the user gets to see in Prompt), and permissions (what the user gets to do in Prompt). Read more here.
If we enable Automatic User Provisioning, therefore allowing any active Azure account to create a Prompt user profile, does this mean they can now search other organisations documents?
No, Automatic User Provisioning strictly provides the user access to the system. Therefore creating a secure authentication process which will be managed by your Azure Administrator. If the user was to do this, then the below is all they can see in Prompt.
If the user would like to do more than what is seen in the below picture, then they will be required to contact their Prompt Administrator, found on the Help Tab in order to request additional access or permissions.
Does the email address in Prompt need to be the same in Azure AD/must it match their UPN in Entra?
Yes, the users email address in Prompt must match their UPN in Entra for that user profile to sync. If it does not, then the user profile must be manually updated in Prompt to the correct UPN ID.
Before enabling SSO I was logging in to Prompt with credentials that included email address, password and 2FA. If I now log in with SSO then does this mean I have two user profiles?
No, firstly you can continue to log in with email address, password and 2FA authentication. No matter which option you choose in the below image, both flow through to the same user profile that is linked to your unique Azure Entra ID.
Therefore one unique user can be authenticated via two channels, but ultimately controlled and managed by your organisations Azure Administrator.
