Account Linking: Enabling Cross-Domain SSO
Overview
The Account Linking service is designed to provide seamless access to multiple ICE MT enterprise applications using cross-domain SSO approach. This service allows users to log in once into an ICE MT application, granting access to various integrated domains without needing to re-enter credentials for each application. For example, a user logged into Encompass on the Web can launch the DDA Analyzers without the need to re-authenticate.
The cross-domain interoperability is enabled by linking the user accounts across different ICE MT applications and domains using a SCIM globalUserId, enabling centralized identity management and access control.
The following ICE MT products are currently enabled for cross-domain SSO using the ICE MT Account Linking service.
ICE MT Product | SCIM Support |
---|---|
Encompass on the Web and Encompass Desktop app | Yes |
DDA Analyzers (support for cross-domain sso) | Yes |
What is a Global User ID?
The globalUserId (GUID) is a unique, immutable identifier assigned to a user by the ICE Mortgage Technology SCIM service. The GUID facilitates interoperability and consistent identification of users across the ICE MT applications that implement SCIM for identity management and cross-product Single Sign-on.
Lenders who are licensed for multiple ICE MT products (e.g. Encompass & DDA) must ensure that the user profiles for the same employee, across the different products, are linked to the same GUID.
To learn more about the Global User ID please see the SCIM Global User ID topic in this guide.
How it Works
Behind the scenes, the system utilizes a user GUID to link the user accounts across the supported ICE MT enterprise applications. This GUID is a backend identifier managed by administrators and is used by the system to ensure the user has unified access across all of their linked accounts. The end user does not need to know or interact with this GUID, they just log in as normally would, and the system takes care of the rest.
Key Features
Cross-Domain SSO: Log in once and gain access to multiple ICE MT integrated experiences without the need to reauthenticate.
Consistent User Experience: The user benefits from a unified experience across various ICE MT applications, eliminating the need to remember multiple usernames and passwords.
Centralized Management: Administrators manage the linking of accounts using the SCIM Account Links APIs enabling self-service for the enterprise.
SCIM Account Links APIs
The following APIS are available:
API | Use Case |
---|---|
Get Linked Accounts | Retrieve all accounts tied to a given SCIM globalUserId. |
Create an Account Link | Generate a globalUserId for an existing Encompass/DDA application user. |
Link User to a SCIM GUID | Link an existing user profile to a globalUserId. |
Delete an Account Link | Resolve multiple globalUserId conflicts for the same employee in case a duplicate globalUserId was generated in error. |
How is this different from SAML SSO?
Federated SAML SSO operates by using a centralized identity provider (IDP) that asserts the user's identity to various service providers (SPs) upon login. The user authenticates once with the IdP and SAML assertions are passed to the SPs to grant access without further logins. SAML focuses on authentication using the lender IdP.
On the other hand, the ICE MT Account Linking service is focused on linking multiple accounts across different ICE MT enterprise domains using a backend GUID, which is not visible to the end user. The linking process ensures that once a user is authenticated in one domain, they are recognized across other ICE MT domains without needing to re-authenticate. The Account Linking service is dependent on the initial user authentication into one of the ICE MT domains.
For enterprises that use SAML SSO for user authentication, the Account Linking service is an interoperable add-on to the seamless end user experience. The Account Linking service does not replace SAML SSO.
User Experience
Step 1: The user logs into to an ICE MT application (Encompass).
- The user accesses the Enterprise Login Page.
- The user enters their credentials.
- User completes the authentication process.
Step 2: The user accesses linked applications enabled for cross-domain SSO.
- Automatic access - once logged in, the user can now access any other linked applications without needing to log in again. For example, once logged into Encompass on the Web, the user can navigate to the DDA Analyzers to launch the integrated UI.
User Migration to SCIM Global User Id
To leverage the cross-domain SSO experience, existing ICE MT customers need to do a one-time user migration to generate the SCIM globalUserId for the existing enterprise users.
User migration for existing customers can be done via self-service using the SCIM Account Linking APIs or through an engagement with ICE MT PSO organization.
Ongoing Maintenance
ICE MT customers who automate user management using a centralized IdP using the SCIM APIs need to ensure that all new user accounts are linked to the same GUID across all supported ICE MT applications.
ICE MT customers who are managing users using the ICE MT Product UI or using the application APIs (V3 Internal Users) need to ensure that a SCIM GUID is generated for any new user added to the product and linked to the same SCIM GUID across all ICE MT supported applications. This maintenance activity can be done via self-service using the SCIM Account Linking APIs or through an engagement with ICE MT PSO organization.
Updated 4 months ago