Single Sign-On for CommCare HQ

 

Single sign-on (SSO) allows you to give your staff one account for all of the systems your organization uses. If you have a CommCare Enterprise account and have SSO set up for your organization, you can require your users to log in to CommCareHQ using their SSO credentials.  

Supported Identity Providers

Additional SSO Settings

Multiple-View API Keys

Dimagi's default security stance regarding API keys is that users cannot view their keys again after creation. However, we recognize there are situations where this restriction disrupts workflows, and we have designed this feature to provide more flexibility and autonomy for users managing their own keys. Provided your organization understands the impact of allowing your users to view their keys multiple times, you can enable multiple-view API keys for users associated to your Identity Provider as follows:

  1. From the Enterprise Dashboard, navigate to “Manage Single Sign-On”

    image-20240419-164212.png
  2. “Edit” the desired Identity Provider

    image-20240419-164403.png
  3. Scroll to the “API Key Management” section

  4. Check “Always display full API keys to SSO users”

  5. Log in to a user managed by the Identity Provider

  6. Navigate to “My Account Settings”

  7. Navigate to “API Keys

  8. Click the “Copy Full Key” button next to the desired API key

  9. Your API key should now be copied to the clipboard

Enforce API Key Expiration

Enforcing Key Expiration allows an identity provider to force all API Keys (including existing ones) to expire after a maximum amount of time. To enable this feature:

  1. From the Enterprise Dashboard, navigate to “Manage Single Sign-On”

  2. “Edit” the desired Identity Provider

  3. Scroll to the “API Key Management” section

  4. Check “Always require an expiration date for API keys” and specify an expiration window

Enforcing a new maximum expiration length will only update existing keys with expiration dates longer than the new setting. For example, an Identity Provider with a 60-day expiration length will update a key with a 90-day expiration but will leave a key with a 30-day expiration unmodified.