Single Sign-On (SSO) is an authentication process that allows users to access multiple applications or services with a single set of login credentials (such as username and password). Narmi offers SSO for Narmi Command, so your staff users can log in to Narmi Command via the same SSO provider you use for other applications at your institution. SSO enhances platform security, simplifies administration, and improves the user experience by making it easier to sign in, remember passwords, and trigger password resets.
Several companies provide SSO solutions, each offering its own set of features, integrations, and pricing options. Some of the most common SSO Identity Providers (IdPs) include Okta, Microsoft Azure Active Directory, Google Workspace, and Auth0. If you have an SSO IdP, your institution can directly configure SSO authentication for your staff users within Narmi Command. This self-serve option allows flexibility in controlling and managing when to enable, disable, or update any SSO details based on your institution's preferences.
About Narmi Command SSO:
There is no additional cost for Narmi Command SSO.
Our SSO uses the OpenID Connect (OIDC) protocol, not Security Assertion Markup Language (SAML).
We currently support the following OIDC IdPs via self-service: Google Workspace, Microsoft Entra ID, Okta, and Amazon IAM. Please contact your Narmi Relationship Manager if you would like to add a different IdP.
For some providers (like Okta and Microsoft Entra ID), we support IdP-initiated login, allowing your institution to add Narmi to your IdP dashboard.
You must have Admin permissions in Narmi Command to register a new SSO.
To get started by enabling SSO at your institution, go to Manage SSO.
Staff Users and SSO
Staff users must have an account on Narmi Command and a two-factor authentication device added in order to sign in via SSO. If a user attempts to log in without a Narmi Command account, an error message appears. For instructions on adding a new staff user, go to Add a New Staff User. For non-admins, you'll also select a Role. For more information on roles, go to Manage Roles.
Staff user info is updated automatically from the SSO provider. For instance, when a user's last name is changed in the SSO provider's directory, that updated name is reflected in the Narmi platform. Please note that user information in the Narmi One is not saved to the provider's directory, so the SSO directory is the source of truth for user information.
Adding SSO to an existing user does not remove their username and password. By default, those credentials will remain valid if the staff user chooses to log in with them. Your institution can turn this off and allow users to only sign in via SSO, not their username and password. To turn off the username and password login option, contact your Narmi Relationship Manager.
Log In with SSO
If your institution has enabled SSO, staff users with an account on Narmi Command can sign in via SSO.
To log in:
Staff users select the link to log in with [provider name], for example, Log in with Okta.
In the dialog that appears (which varies depending on the SSO provider), users enter their credentials and follow the onscreen instructions to continue. Once authenticated, Narmi Command opens to the dashboard. The time between session reauthentication varies by SSO provider.
