Single Sign-On for Merck Group

Single Sign-On Merck Group

miniOrange + Merck Group

Merck Group provides tools, services, and digital platforms to empower researchers from a wide range of fields to work more effectively. They offer one of the broadest portfolios in the industry for scientists and products for pharmaceutical development and manufacturing.

Problem 1:

Merck Group, a large organization with over 65,000 employees, found it challenging to provide Confluence access to all of their employees. They wanted to grant access to certain unlicensed users for their Confluence spaces and pages. However, they faced a dilemma with two possible solutions: allocating new licenses for all their users or making the pages public. While the former option meant increased costs, the latter posed security risks due to global accessibility of the page links. Neither of these options was viable for them.

The Solution:

After understanding their challenge, the miniOrange team brainstormed and provided a solution for Merck Group using the miniOrange SAML SSO plugin. This solution allows them to publish pages publicly while maintaining control through our SSO capabilities. To meet Merck Group's specific requirements, we expanded our SAML SSO app's functionality to include features like enabling guest access for external users and managing unlicensed or inactive Confluence users. This approach ensures that although the page is publicly accessible, the guest users can only view it after authenticating through their Identity Provider (IDP) using the miniOrange SSO plugin. This solution successfully addressed their significant challenge, mitigating security risks and saving them on license costs.

Here's how the process works:

User Authentication via IDP:

The prerequisite for the solution is that guest users should be present in the Merck’s Identity Provider (IdP). The miniOrange SSO plugin acts as a bridge between Merck’s Confluence and the IDP, facilitating authentication.When a guest user tries to access Merck Group's Confluence, they are automatically redirected to the IDP for authentication. Upon successful authentication, the user is granted access to Confluence with restricted permissions.

Viewing Anonymous Spaces and Pages:

Guest users authenticated through Merck’s IDP can access designated Confluence public spaces and pages. This allows Merck Group to control which content is accessible to guest users and for how long it would be accessible, ensuring data security and compliance.

Problem 2:

Merck Group operates a single Jira instance with two different base URLs assigned to different sets of users.They require these users to perform Single Sign-On (SSO) and be redirected to their respective base URLs after SSO authentication. This means that if a user is accessing Jira from jira.abc.com, they should be redirected back to jira.abc.com after SSO, and if from jira.xyz.com, they should be redirected to jira.xyz.com after successful authentication from Azure AD.

The Solution:

In response to Merck Group's challenge with their Jira instance being accessible on two different base URLs, we developed a customized SSO solution tailored to their specific needs.

Here's how we addressed their needs-

Configured Separate Apps on Azure AD: To handle the distinct SAML requests effectively, we set up two separate applications on Azure AD. Each application corresponds to a specific base URL from Jira. This segregation allows Azure AD to differentiate between the incoming requests and process them accordingly.

Implemented Support for Multiple ACS URLs: On the Jira side, we enhanced the plugin to support multiple Assertion Consumer Service (ACS) URLs. This enables Jira to accommodate SAML requests directed to different ACS URLs, based on the specific Azure AD application configured. Consequently, each request is routed correctly for authentication and authorization. Additionally, we customized the Jira SAML metadata to synchronize with the base URLs.This strategy enables Jira to recognize and redirect users to the correct base URLs without requiring any adjustments on the Identity Provider's side.

By configuring separate apps on Azure AD and enabling support for multiple ACS URLs within Jira, we effectively handle the diverse SAML requests originating from the same Jira instance. This ensures seamless integration with Azure AD, enhancing the overall authentication and authorization processes and effectively addressing Merck Group's challenge.

Our solutions provided significant benefits to Merck Group:

  • Cost Savings: By utilizing the guest login functionality of miniOrange's SAML SSO plugin, Merck Group avoided the need to provide licenses to all employees. This resulted in substantial savings on licensing costs.
  • Enhanced Security: Our solutions ensured that guest users were authenticated securely, mitigating significant security risks. This approach helped maintain the integrity and confidentiality of Merck Group's Confluence spaces and pages. Efficient Resource Utilization: Merck Group was able to effectively manage two different sets of users accessing the same Jira instance based on their respective base URLs. This streamlined resource utilization and improved overall system efficiency.
  • Seamless SSO Experience: The implementation of our solutions made the Single Sign-On (SSO) process seamless, easy, and secure for all users. This enhanced user experience and productivity within Merck Group's IT ecosystem.

In summary, our solutions not only provided cost savings and improved security but also enabled efficient resource management and enhanced user experience through a seamless SSO process.

Your needs, Our solution:

Let's embark on a discovery call to explore how we can address your needs. Reach out to us at +1 978 658 9387 or email your inquiries to info@xecurify.com. We're eager to discuss how we can move forward together.