Single Sign-On, often abbreviated as SSO, is a popular way to control access to multiple independent services. It is widely considered to be a more secure way of accessing applications as compared to the standard login and password.
Codility offers SSO integration based on SAML technology.
If your company uses a SAML identity provider, you can integrate it with Codility and abandon the typical way of authentication through login and password.
Important to note: Codility supports SAML SSO based on SAML 2.0. AD FS, OpenID Connect or any other protocols are currently not supported.
If you wish to have SSO SAML integration enabled for your company account, please contact support@codility.com.
Enabling SAML SSO
Once we provide you with our xml file, in order for us to be able to enable the integration for you we would need the following details:
- XML document with “SAML Identity Provider (IdP) Metadata”
- Email Attribute Mapping (for example, name_id)
- User ID Attribute Mapping (optional, can be the same as email attribute mapping but required if you use alias email addresses in your organization)
This information will likely be provided by someone on your IT or infrastructure team.
We will ask you to provide domains that should be associated with your account. This is to ensure that your users are recognized as employees of your organization and a part of your account, even if your company uses several different domains.
How does it work?
Once we enable SAML SSO integration on your account and define domains that should be associated with it, your users will be able to log in by authenticating through your identity provider (IDP) at login.codility.com (logging in with email/password won't be possible). Once they provide their email address at login.codility.com, assuming they have correct permissions assigned in your IDP, they will be either logged in right away and taken to the Codility homepage or redirected to authenticate via your IDP (depending on how this flow is set up on your end).
What is user provisioning?
User provisioning is a feature that allows users to be created when they attempt to log into Codility via SAML SSO from your IDP. Users created this way will not have any personal information filled. This feature is not enabled by default so please let us know if you would like to have it within your SAML configuration.
If you have user provisioning enabled, you can choose which role will be assigned to all new users created this way by default. For example, if you use Interviews heavily and have a lot of interviewers, you may choose the default role to be Collaborator.
If you have reached your user limit and a new employee is trying to join the account through user provisioning, they won't be able to do so and will see the following message:
Important to note: SCIM or Role-Based mapping is currently not supported. Codility security role changes or account deprovisioning must be done within the Codility platform by an Administrator.
How does user provisioning work with teams?
Users created through user provisioning will always land in the default team. The only exceptions from this would be employees who try accessing a certain test or a certain candidate report without having a Codility account - in this case, Smart Team Assignment is applied.
Smart Team Assignment means that if an account has SAML user provisioning turned on, its users will be automatically assigned to the team to which the accessed resource (test, candidate report, or Interviews link) belongs. To better clarify this, let’s take an example:
- Customer XYZ is a Codility customer, has SAML SSO set up, user provisioning enabled and has email domain mapping set to "xyz.com".
- John Doe is an employee of XYZ and doesn’t have an account in Codility.
- XYZ has a test with ID=1 that belongs to team “EMEA” (not a default team).
- John Doe gets a link to the test: app.codility.com/tests/1/details and enters it.
- John Doe doesn’t have an account so is redirected to a login page.
- John Doe uses his email address to log in with SAML: john.doe@xyz.com
- John Doe successfully logs in through XYZ Identity Provider and is redirected back to Codility to app.codility.com/tests/1/details page. John is assigned to the “EMEA” team (instead of the default team) as the test belongs to that team.
Important points to take into account:
- If you don't have user provisioning enabled, to be able to log in through SAML, the user should be added by an admin and have an active account in Codility.
- Once your account has been switched to SAML, no users will be able to login via app.codility.com/login by using their credentials (email & password).
Should you have any questions about SSO, please contact support@codility.com.