Providing lots of manual controls and settings can be great for admins of teams who want to customize their workflows. As a company creeps over 100 employees, however, manually setting up accounts for each new user on every single service can become tedious and inefficient.
IT Admins can’t keep track of every tool and maintain its security for every employee of a large company. Lucky for them, they don’t have to. Learn why SSO and SCIM and other fun acronyms are a boon for employee security, and bulk actions make transitions a breeze.
What Is SSO And Why Do You Desperately Need It
SSO stands for Single Sign On, and it allows for a company’s employees to log in to all of their approved services with one click of a button. SSO uses a centrally-managed portal showing all of the applications their company has set up with SSO:
Think of it as a “log in with Facebook” button on steroids: one login for many services, managed by your company’s IT team. You may be familiar with the concept through some of the programs that people use to manage SSO: Active Directory (ADFS), Okta, Google SAML, OneLogin, Centrify, and a whole host of others.
A single login portal can simplify app management for everyone on your team. End users won’t have to use a password manager to manage a whole host of unique, complex, capital-letter-and-symbol-containing passwords. Even better, they won’t be in a situation to reuse passwords between services—a bad practice we’ve all been guilty of at one point or another. It’s just one password to remember, for one portal providing access to all available services at the company.
Plus, the portal guides users to the services they should be using. A single portal showing the approved email service provider and workflow management tool drives employees to start using them without needing to figure out who needs to approve purchase of another tool—if it’s showing up in the portal, and they can log in, they’re good to go and can get back to the work that’s important to them.
Do Something Nice For Your IT Team
On the admin end of things, there are a couple of additional benefits. One password means that, if there’s a security incident, the IT team only has to chase people down to change one password, not 17.
The central management portion of SSO means that an IT admin can easily control who has access to what applications (and who doesn’t). If a sysadmin needs to see Kibana and Bamboo and StatusPage, they can; the marketing team can cheerfully ignore that any of those things exist in favor of Trello and Wordpress. Everyone sees what they need to see, and doesn’t have to expend valuable mental energy on what apps to click—begone, decision fatigue.
If an IT team requires that users sign in to services with SSO (something that we refer to as “SSO enforcement” in Trello Enterprise), employee offboarding becomes a much simpler process. Rather than having to track down and turn off access to individual apps, an IT team can flip the switch to turn off the departing user’s access to the company apps.
No one wants to hunt down a former colleague’s work in multiple places, especially at a large company where the IT team may have no idea what someone in marketing or engineering was working on!
Transporting Users With SCIM
So, we’re all on board: SSO is a great way for companies to manage employee access to approved apps. If someone joins or leaves the company, IT can give or remove access to apps through the SSO provider.
But, what happens if you want to go a step further and activate or deactivate a user’s account in those services? Imagine a universe in which a new employee has a Trello account as soon as IT sets them up with an email address. Or, imagine that an employee is deactivated as soon as HR gives the word—no need for their manager or IT to manually remove them.
It’s time to beam in SCIM.
SCIM stands for Simple Cloud Identity Management. Similar to how SAML is the protocol that different software products use to actually talk to each other about SSO, SCIM is an agreed-upon standard for software products to coordinate on whether a user should be activated or deactivated.
The SCIM website has a handy chart to explain the details, but at its core, SCIM pairs with an SSO Identity Provider (like Okta) to tell us when a user has been created and should begin to show up for you, or—if they’ve been removed—lets your SSO Identity Provider give Trello a heads-up to deactivate that person from all your Enterprise teams.
SCIM, combined with the multi-team user management dashboard that Enterprise admins have access to, provides a convenient way for large companies to manage Trello across their organization. Easier management means more time to collaborate on interesting work, and less stress figuring out just exactly how many people are using Trello. It’s a productivity win for everyone.
Interested In Setting Up SCIM?
If you’re a Trello Enterprise partner who uses Okta, we have great news for you: we recently launched a sweet pre-built SCIM integration for Okta users, allowing you to auto-provision and auto-deprovision users into and out of your enterprise. Get started with setup instructions here.
Not an Okta user? Not to fret: Over the next few months, we plan to roll out pre-built SCIM integrations with a variety of SSO Identity Providers. In the meantime, if you have developers on your side, they can actually set up Trello SCIM support on their own using our SCIM API. They can get in touch with our developer advocate from that page for additional questions and concerns.
Speaking of developers, we have a great breakdown available on our tech blog on the technical ins and outs of implementing SCIM.
If SSO seems interesting to you, but you’re not a current Trello Enterprise customer, we’d love to hear from you. You can read more about our Enterprise features and set up a time to talk to our sales team for more info.