Set up Single Sign-on (SSO) in Dell Premier

• Start single sign-on setup
• Choose which users have single sign-on
• Manage access with access groups, user roles, and rules
• Connect to the identity portal
• Turn on single sign-on
• Test the connection
• Frequently asked questions

Duration: 00:04:20 (hh:mm:ss)
When available, closed caption (subtitles) language settings can be chosen using the Settings or CC icon on this video player.
-----------------------------------------------------------------------------------------------------------------------------------------------------

Introduction

Single sign-on (SSO) simplifies access to Dell Premier with passwordless authentication. Once signed in through single sign-on, customers (users) don't have to sign in again to use other Dell applications.

Once SSO is enabled, all users will select "Premier Sign In" or access the Dell Premier sign-in page through www.dell.com/account

Start single sign-on setup

Site administrators (site admins) can set up single sign-on from the Account tab. If your organization doesn’t have a site admin, contact your sales representative.

1. Sign in to Premier and click Account.

 

2. On the Overview page, find the single sign-on widget and click Manage Single Sign-on. If you do not see the widget on your page, please reach out to your dedicated Sales team or Premier HelpDesk (Premier customer support): NA │LATAM │Europe │Asia

Choose which users have single sign-on

There are two ways to migrate users to single sign-on.

1. Onboard your entire organization (recommended)

Existing users will keep their current access group and user role assignments. The site admin will be asked to designate the access group and user role of all other employees across their organization in the following step. Once single sign-on is enabled, the entire organization will have access to Premier with single sign-on.

2. Onboard existing Premier users

Existing users will keep their current access group and user role assignments. New users can be manually added and assigned to access groups and user roles by the site admin or a sales representative. New users will have instant access to Premier with single sign-on.

Manage access with access groups, user roles, and rules

Access groups and user roles determine what each user can see and do. If you have questions about access groups and user roles, contact your sales representative.



Rules (optional) can further define employee access by location, department, or employment type (full-time, part-time, contract, etc.). To create rules, add the claim value for each claim name. For claim details , contact your IT administrator. Learn more about how to set up optional rules in Premier.

After the site admin sets up access, Premier will send an email summary of user access. The single sign-on setup can be changed at any time.

Connect to the identity portal

Click Manage SSO Connection to open Premier’s single sign-on setup portal. You can also invite your information technology (IT) administrator to complete single sign-on setup.



To invite your IT administrator:

1. Click Manage Administrator

2. Enter the IT administrator’s organization email address.

3. Click Invite to invite the IT administrator to the identity portal.

To verify your organization’s email domain(s), the IT administrator will click Manage Domain. Learn about domain management

Turn on single sign-on

1. Click Register IdP (identity portal)

2. In the Select Domain tab, complete the fields as follows

3. Click Next 

• Select either Well Known Endpoint or Manually Enter Values 
• Enter either Well known Endpoint or Manually Enter Values as per the selection
• Click Next

If you selected SAML in Select Protocol,

4. In the Register IdP tab, the first three sections (basic SAML information, endpoints, and certificate) automatically populate information from the metadata file shared in step 5. If the data doesn’t automatically populate, manually enter the information.

5. Click Claims. Claims give specific employees (users) access to your Premier page.

• Member of identifies users from a particular group. The Member of only lists groups that are added in the Add User Group tab. To add a group to the list, go to the Add User Group tab. In the Add Active Directory User Groups (Optional) field, add the group(s).

• Country code identifies users from a certain location.
• Employee type identifies users by employment type (full-time, part-time, etc.).

6. Click Next.

If you selected OIDC in Select Protocol, in the Register IdP tab, Issuer and Redirect URL, and all other fields in the Endpoint tab will be auto populated. 
In Basic Information: 

• Enter Client ID which you will find on your Identity Provider. 
• Enter Client Secret, which you will find on your Identity Provider. 
• Copy the Redirect URL and configure with your application 

Note: Changes to the issuer will update the Redirect URL 



In Endpoints, endpoints will be auto populated from the Well Known Endpoints or Manually Entered Values

In Scope, some of the predefined scopes are auto populated based on the Well Known Endpoint or Manually  Entered Endpoints.   

• Enter or Select Claim for UUID 
• Click Register 

For Add User Group, refer to step 5 above. 

Test the connection

Before activating the identity provider, test the connection and end-to-end single sign-on.

Test the identity provider connection

1. Click Test IdP Connection. A single sign-on session will open in a browser window with Dell.
2. Sign in using your organization credentials.
3. Review the test results that show on the page.
   1. If the test succeeds, click the Test Connection tab on the single sign-on page. Invite a user to test single sign-on.
   2. If the test fails, check the identity provider setup. If you have questions, contact the Dell Identity team.

Invite users to test single sign-on

1. Click Enable Test SSO. A unique email address for the identity provider generates.
2. Share the unique email address with trusted users.
3. Share the application URL with the trusted users.

4. After the test succeeds, click Activate.

Notes

• If the identity provider is activated without disabling the test, the test will automatically disable.
• After clicking Activate, the identity provider is active.
• After clicking Skip Activation, the identity provider will be pending activation. Click Edit IdP to complete activation.

Frequently asked questions

Benefits of single sign-on
Setting up single sign-on
Identity provider (IdP) technical setup
SSO Domains & Claims
Premier Sign In 

Benefits of single sign-on

What is single sign-on and what are the benefits?
Single sign-on (SSO) is an authentication service that allows employees access to many applications with one set of credentials. Single sign-on strengthens security by centralizing control and improves productivity by eliminating many passwords.

How will employees with single sign-on buy for my organization?
With single sign-on, employees can access Premier without having to create an account. After signing in with their organization email address, employees can browse and buy, dependent on their access group and user role. The Premier site administrator assigns each employee's access group and user role (what they can see and do).

Who should I contact for help in setting up single sign-on?
Your sales representative can help you set up single sign-on.

Setting up single sign-on

How long does single sign-on setup take and who is responsible?
A Premier site administrator starts the single sign-on setup in their Premier account. An identity or IT administrator in the organization registers and configures the identity provider (IdP). This process can take 30 to 45 minutes.

Do all employees have to use single sign-on for all Dell applications?
Yes, all employees must use single sign-on once enabled. This is the recommended. Single sign-on improves security and increases productivity with centralized identity management.

What is the Dell Identity Portal?
The Dell Identity Portal allows site admins to configure single sign-on with Dell on their own. Dell Identity Portal guides the identity administrator (identity admin) to configure their identity portal (IdP) with Dell. After IdP and Dell connect, the identity administrator can test the configuration.

What does the identity administrator do with the identity provider (IdP)?
To turn on single sign-on, invite the identity administrator to the setup in Dell. The identity admin can set up and manage the identity provider (IdP) in Dell Identity Portal. The identity admin uses Dell Identity Portal to verify the domain, start the IdP configuration, and maintain the service.

Can I invite multiple identity admins to the identity portal?
Yes, you can invite more than one identity administrator from a single organization. The first identity admin that claims the domain is the primary. The primary identity admin can accept or deny access to more identity admins. Identity admin invitations expire after 30 days.

How can I check the status of an identity administrator's invitation? Is there an API?
You can check the invitation status in Dell Identity Portal. There is no API to check if the invitation is pending or accepted.

Does single sign-on also turn on multi-factor authentication for applications?
Yes, single sign-on uses the customer's identity provider (IdP) to support this feature. Most IdPs support multi-factor authentication.

When a site administrator turns off single sign-on, is the service turned off for all users?
Yes. Users cannot sign in to Premier when single sign-on is turned off.

Once SSO is set-up, can I log into my TechDirect portal via SSO?
Yes, SSO integration with TechDirect is currently available. Once SSO is set up for your Premier account, you can sign into TechDirect via SSO.

Identity provider (IdP) technical setup

What is IdP-initiated single sign-on and SP-initiated single sign-on? 

The two initiations refer to where the user signs in to organization applications. Single sign-on can start at the identity provider (IdP) or service provider (SP). 

IdP-initiated single sign-on is when authentication starts in the identity provider. Once authenticated, the user doesn't need to sign in again to use any linked service provider (application).  

SP-initiated single sign-on is when the user starts at the service provider (application). The service provider redirects the user to the identity provider for authentication. Once authenticated, the user can access the service provider services. 

What is an identity provider group? How do I manage my identity provider groups? 

An identity provider (IdP) group organizes and manages user access to applications. IdP group names are visible when inviting the IdP admin. The IdP Admin makes changes to the group through the identity provider. 

What identity providers does Dell support?
Any identity provider (IdP) that supports SAML 2.0 can integrate with Dell.
 
Can an external managed service provider configure my identity provider?
Yes, external managed services providers can set up your identity provider on the Dell Identity Portal. The external managed service must have the same email domain as the identity provider to turn on single sign-on.

How should a customer set up single sign-on in the identity provider staging environment before production?
Create the identity provider on the production environment. To test single sign-on, use the test feature in the production environment. This won't impact active users and only turns on single sign-on for a predefined email address. If the test is successful, turn on single sign-on for all users.

Can an identity provider group have many identity providers?
Yes, an identity provider group can have many identity providers.

How can I turn off an identity provider when another identity provider with the same entity ID is turned on?
Each identity provider must have a unique entity ID. Follow the steps to turn on the inactive identity provider.
 

1. Edit the active identity provider, called IdP1.
2. Change the entity ID and add _042523 to the end.
3. Save IdP1.
4. Turn on the inactive identity provider, called IdP2.
5. Click Edit IdP and add _042523_Test to the end of the entity ID.
6. Save IdP2.
7. Edit IdP1 to remove _042523 from the end of the entity ID.
8. Save IdP1.

Both IdP1 and IdP2 will be active.

Can more than one identity provider use the same domain?
No, an identity provider can only use one domain.

Can an identity provider group support more than one domain?
Yes, an identity provider group can use more than one domain.

How do I set up IdP-initiated single sign-on for Azure?
In the identity provider, go to the protocol tab. Look for the application you want to set up with IdP-initiated single sign-on. In the IdP-initiated SSO section, click Supported Applications.

Copy the application’s Relay URL/Target URL. In Azure’s identity provider, paste the URL in the Relay State (Optional) field.

SSO Domains & Claims

How does domain registration work? Can all users with this email domain use single sign-in?
Single sign-on setup is at the domain level. You can allow some users or existing Premier users access instead. We recommend your site administrator onboards your entire organization.

Should I register each domain if my organization has many domains?
You can use one identity provider for many domains.

What claims are defined during single sign-on setup?
Required claims

• First name
• Last name
• Email address
• UUID (universal unique identifier, defaults to email address)

Optional claims

• Member of
• Country code
• Employee type

Premier Sign In 
If an error is observed when switching between MyAccount and Premier, select "Log out" and log in with SSO through www.dell.com/account.