SSO is an alternative access method which allows FT customers to have full access to FT.com without having to manually login when accessing the site via an agreed route. It allows for users to be deprovisioned when an individual leaves an organisation, after a 90 day grace period.
Federated Access Management builds a trust relationship between identity providers (IdP) and service providers (SP). It devolves the responsibility for authentication to a user’s home organisation, and establishes authorisation through the secure exchange of information (known as attributes) between the two parties.
Federation members needing access to resources install identity provider (IdP) software, and members providing resources install service provider (SP) software. Members sign up to an agreed set of policies for exchanging information about users and resources. The federation operator acts as a registrar for this information, which describes the configuration of the members’ identity and service providers. The information is known as metadata.
How authentication is carried out by the identity provider and how rights management is carried out by the service provider is left up to the respective parties. Thus, federated access management depends on a certain level of trust. These trust agreements are managed by federations. Federations are typically being established at a national level.
The UK Access Management for Education & Research (the UK federation) is operated by JISC Collections, in partnership with EDINA (a JISC data centre), on behalf of JISC. Examples of other federations include:
SSO allows users to access FT.com using their employee or education network IDs. In addition to more convenient access for end users, SSO offers more control and transparency for the administration of the account.
This depends on what your current SSO capabilities are. If you already have an existing SSO infrastructure, it may be easy to join the relevant Federation. Each Federation’s website contains details of the requirements for joining.
The OpenAthens Federation is set up specifically to work with commercial organisations. Details on their membership criteria can be found here.
Once you are a member, you will just need to supply the FT with your EntityID, which your Access Federation will supply you with. We will use this ID to add the SSO access method to your account.
You can find more information federated set up section here: FT SSO Setup - Federated SSO Introduction
Your organisation can still be set up with single sign on access to FT.com if you are not currently a member of an Access Federation or if joining an Access Federation is not suitable for you organisation. Our Peer 2 Peer SSO access allows users to access FT.com using their employee enterprise IDP.
For more information on Peer 2 Peer SSO access please visit FT SSO Setup - Peer-to-Peer SSO Introduction
As an additional feature with SSO set up, if an SSO enabled user doesn’t access via the SSO route for 90 days the FT will assume that their access has been removed on the client’s side, and the user will be deprovisioned. Deprovisioned means that the user will be automatically moved from the relevant active user group to the organisation’s inactive user group. The user will be notified that this change has happened, and that will revert to having registered access to the site. The user will also be notified after 83 days of inactivity warning them that they will shortly lose their subscription access, if they do not log in before the 90 days cut off.
If a deprovisioned user accesses the site via the SSO route, they will be automatically reprovisioned. This means that the FT will automatically recognise that the user is coming from an SSO enabled organisation. They will be moved from the inactive user group and will become a member of the relevant active user group where they will regain their subscription access. This will be seamless and should not be visible by the end user.
SSO can be switched on or off at any point without causing issues. If you request that SSO be turned off during a contract, access for all previously SSO enabled users reverts back to normal FT.com access rules. All users will have access in line with the contracted end date of the group, and the users within the group will not be automatically deprovisioned. If SSO is then reactivated, the automated deprovisioning will restart, whereby it will go back to identify previous SSO users or deactivate users accordingly, if their accounts are still inactive.
As part of your SSO fulfilment you will be supplied with a WAYFLess URL (Where are you from? URL). A WAYFLess URL can be used to link to FT.com directly from your portal or Intranet. All users accessing will be routed back via their Identity Provider and then taken back to FT.com. Depending on their status, they will either be logged in automatically or they will be directed to the relevant sign up page.
No, SSO doesn’t use IP address to identify what organisation a user is from. That information is passed to us securely from the users Identity Provider. All information passed from the Identity Provider and/or Federation, is encrypted before it is passed over to the FT.
SSO enabled users can sign in to their FT account via SSO on their mobile / tablet devices. Simply visit the FT Web App (app.ft.com) (e.g. the FT ‘home screen’ icon on an IOS device) or the FT Android Native App and follow the instructions.
Note - The ability to sign in to the users IdP /federation account on their mobile/tablet device will be required to allow users to sign into their FT account via SSO.
Yes. If your organisation is interested in using Access Manager as well as SSO both can be enabled, as long as the Access Manager is updated to include the relevant WAYFLess URL. This is needed so the users are directed back through their IDP, which ensures they are identified and redirected to the correct page.
Yes, as SSO isn’t dependent on your organisation’s IP address. Use of a web proxy such as EzProxy should not cause any problems.
For any queries about the FT’s SSO service, please contact us or your Customer Success Manager (CSM)