With Hybrid Authentication can you have some user’s login with the SSO provider you integrate your MangoApps domain with and some using email ID & password generated via MangoApps or both.
Hybrid authentication in MangoApps allows your users to login and register using the following providers;
- LDAP/Active Directory
- Google Apps (OAUTH 2.0)
E.g. Users can sign in to Active Directory Federation Services (AD FS)-enabled applications using any form of user identifier that is accepted by Active Directory Domain Services (AD DS). These include User Principal Names (UPNs) (firstname.lastname@example.org) or domain qualified sam-account names (contoso\johndoe or contoso.com\johndoe).
Oftentimes, you want your end users to only be aware of and know their email addresses when signing in. However sometimes for various reasons your AD DS environment is not able to ensure that user UPNs match their email addresses. Also, SaaS SSO providers such as OneLogin require user login IDs to be fully internet routable since the non-routable domain names cannot be verified. In other words, if your on-premises UPNs are using non-routable domains (i.e. “contoso.local”, fabrikam) or your cannot change your existing UPN’s to match your cloud domain due to application dependencies on your on-premises UPN, you cannot use your on-premises UserPrincipalNames to authenticate your users with AAD.
To solve this problem, you can have your users login with MangoApps native authentication mechanism and/or your existing SSO provider. This allows you to configure a sign-in experience where this alternate login ID is an attribute of a user object in AD DS other than the UPN.
NOTE: To configure ability to login with MangoApps as well as your SSO provider, the only condition is that the user identifier i.e. email address should be common on both SSO provider platform as well as on MangoApps.
Configuration for LDAP/Active Directory
Ensure “Override UPN Suffix” on the LDAP/AD configuration screen is enabled as shown in the below screenshot to enable users to login both with your ldap ID as well as your email
To configure with SAML providers
Ensure “Login Page Auto Re-Direct” is NOT checked, this will result in users visiting MangoApps login page instead of the SAML provider login page.
In this case, if the user does not have a password to login with email using MangoApps authentication, he may have to generate one by clicking forgot password (refer instructions here: https://goo.gl/rVqRcI ) the admin can as well set the password for the users from the admin portal (refer instructions here:https://goo.gl/Zh7h0l )