Best practices for user management with SSO

00:01

In this session, we will discuss some user management best practices that you as the primary or SSO administrator should consider with Single Sign-on.

00:11

In this video, we will discuss key aspects of user management that you should consider prior to implementing SSO,

00:18

as well as how new user accounts are created once SSO is enabled.

00:24

To complete the session, we will look at some comments, frequently asked questions pertaining to user management with SSO.

00:33

Prior to enabling Autodesk SSO, it is highly recommended that you take the time to ensure that your user list is up to date,

00:40

and that all your users' software entitlements are accurately assigned within Autodesk account.

00:47

Additionally, be sure to unassign software entitlements for users no longer with the company and then also delete these users from Autodesk account.

00:57

Although this is not a requirement, it is considered a best practice to ensure users do not continue accessing software,

01:05

and that, most importantly, your licenses are made available to those who need them.

01:10

In fact, once SSO is enabled, employees no longer with the company, in other words not in your active directory, would not actually be authenticated.

01:21

However, licenses are not controlled by SSO and maintenance of Autodesk software entitlements remain your responsibility using Autodesk account.

01:32

We also recommend that you review your user list and ensure that all employees are using their corporate email addresses.

01:40

If anyone is using a personal email address, you will need to ask them to change their profile.

01:45

Once they update their profile, it will update in Autodesk account and their software entitlements will remain assigned.

01:52

Software access is authenticated based on email addresses matching.

01:57

If email addresses do not match, a new account will be created with SSO and users with non-corporate email addresses will lose access,

02:06

because their entitlements are not set up for this new account.

02:11

Next, you will want to ensure that any users invited to your Autodesk account have accepted invites.

02:18

If not, resend the invite or delete the user.

02:22

Once SSO is enabled, their account will be created.

02:27

Finally, we highly recommend that you notify all users to explain this new process,

02:33

tell them how it will work and benefit them and when the switch will be made.

02:39

Once Autodesk SSO has been enabled for your domain,

02:43

any user who is able to authenticate on your domain and does not have an existing Autodesk account will have one created.

02:51

This account is automatically added to your company's Autodesk tenant.

02:56

Please note that assigning entitlements in Autodesk account is considered a separate task,

03:02

and until this is completed, users will not have access to any of your software licenses.

03:09

At a high level, the following details the procedure of what happens for a user's self-registration with SSO.

03:18

Initially, the user accesses Autodesk software or a service and they are prompted with the standard Autodesk login page.

03:26

Once they enter an email that is associated with the registered domain, the user is redirected to the company IdP for authentication.

03:37

Using their company username and password, they are authenticated through active directory.

03:43

A user's login credentials, that being their first name, last name, email address,

03:48

and the ObjectGUID are returned via SAML assertion to Autodesk,

03:54

and at that point, the Autodesk account is created using these active directory details.

04:00

The user can then login to any Autodesk services as shown here for Autodesk Help.

04:08

The final step of course would be for you as the primary administrator to grant them access to the software licenses they will require.

04:20

There are a number of answers to Frequently Asked Questions that are included in Autodesk Single Sign-On Configuration Guide.

04:28

To finish this session, I just wanted to review a few of these that are specific to user management.

04:37

Firstly, what happens when a user leaves the company?

04:41

In these situations, once a user is removed from the corporate identity system, there is no account associated with that user for authentication.

04:51

In this case, the user's Autodesk account will still exist, however they can no longer be authenticated, and the user will be unable to login.

05:00

You will want to then use Autodesk account to further remove them from software entitlements.

05:08

It is quite common for end-users to require a name change.

05:12

Autodesk SSO ensures that these changes do not impact Autodesk usage.

05:17

Firstly, the name change will be reflected in your corporate identity system or your IdP,

05:23

and then on subsequent logins through an Autodesk service,

05:27

the SAML response will return the new user details and update the Autodesk identity to reflect the new name.

05:34

Keep in mind initially that if users are already authenticated the name change will not be immediately visible in Autodesk applications.

05:43

Once a user is signed out and in again, their Autodesk details will be updated for all Autodesk services.

05:51

The final two FAQs are common questions that you will get from your users.

05:55

Firstly, why can't I create a new Autodesk account using my work domain?

06:01

Please keep in mind that this happens because once your domain has been onboarded to SSO,

06:06

Autodesk will no longer allow users to create accounts directly with Autodesk using this domain name.

06:13

During the account creation process, users will see the following error message when entering your email address.

06:20

In order to create a new authorized account,

06:22

all you have to do is simply login to any Autodesk site and an account will be created after authentication with your company's active directory.

06:32

The second common question is around why users can't edit their Autodesk profile through their Autodesk account.

06:39

Once again, the reason for this is that your domain has now been onboarded to SSO,

06:43

and they will no longer be able to edit their profile because their account is tied to your domain for authentication.

06:50

Any changes made in your company's active directory will be reflected in their profile,

06:56

but as long as SSO is enabled on the email domain, the reverse is not true.

07:02

I hope that this session has given you some understanding of how you should prepare and manage your users with Autodesk SSO.