Federation and Authentication with External Identity providers

Security and privacy is a priority for Primero. In order to ensure the highest standards of security for both the case workers and managers using the Primero system as well as the beneficiaries receiving case management services, the Primero team has been working hard at ensuring proper protocols are in place.

For organizations interested in using Primero, the team works to federate identities for partners using enterprise directory services such as Active Directory and Lightweight Directory Access Protocol (LDAP). What this means is that Primero is able to authenticate with the partner’s organizational security protocol which is seamless, secure, and branded login experience from any device, anywhere in the world. Proper authentication ensures that the people logging into their accounts are who they say they are, preventing bad actors from accessing sensitive user data (such as telephone numbers or email addresses), or inappropriately accessing records within the Primero system. Effective authorization helps partners confirm that a user has the right level of access to an application and/or resource. Clear user management allows system administrators to update user access permissions and implement security policies, better enabling seamless and secure experiences and building trust with every user. The Primero team ensures we are protecting users at registration, authentication, and during in-app activity with multi-factor authentication (MFA) and passwordless authentication. As new partners are interested in using Primero, the Primero team works closely with those IT teams to federate identities and ensure there is a smooth single-sign on experience for case workers, case managers and system administrators. For organizations where enterprise directory services are not in place, Primero has implemented a self-service registration, password reset, and account/username recovery process. To see how the process works, check out: Resetting Primero Identity User Password in Primero v2 and Reset Link for Organizational Identity Provider

For those country instances with Plan International SSO set up, and whenever we add any plan international users to the system we will also need to add them to Okta (their identity management provider). In order to do that we will send global.helpdesk@plan-international.org the following:

1 - Country name
2 - URL of production site
3 - User’s name
4 - User’s email

And then they will ensure their Plan profile is created properly so they can SSO into Primero.