Enabling single sign-on (SSO) gives enterprises using Hoylu Suite the ability to manage licensing and access through Azure Active Directory (AAD) group memberships. This utilizes an enterprise’s existing account management infrastructure.
In this document, we guide Hoylu administrators and AAD administrators through the steps required to enable SSO for their organization. We also provide an overview of the following features:
- Viewing accounts that are members of an organization
- Company access and security policies
If the auto assignment is disabled in your management Portal together with AD integration, manual assignment of licenses is possible.
Important 2: If the organisation have auto-assignment option turned On and the user who is not in AD Group, the license will be automatically removed.
The Hoylu Management Portal is accessed at: https://manage.hoylu.com
If your organization does not yet have an administrator account for Hoylu Suite, please contact firstname.lastname@example.org.
This instruction guide is specific to organizations that are integrating with Azure Active Directory for their user accounts.
Sending a Request to an AAD Administrator
To enable single sign-on, select the Azure AD Administration option from the Management Options menu. Note: If this menu option is not available, please contact email@example.com to enable this advanced option.
Provide the email address for your organization’s Azure Active Directory administrator. This administrator does not need to have, or create, a Hoylu account.
After submitting your organization’s AAD administrator’s email address, they will be sent an email for two separate permissions requests. This email will be sent from firstname.lastname@example.org.
Note: The Hoylu administrator and the AAD administrator cannot use the same account, as Azure does not allow this for permissions granting.
AAD administrator permits Hoylu Suite to access AAD
It is important that your organization’s AAD administrator accepts both AAD permissions requests. For each request that is accepted, the Hoylu administrator will be sent a confirmation email.
1. Gives your organization’s AAD accounts the ability to sign in to Hoylu using single sign-on.
2. Gives your organization’s Hoylu administrator the ability to license specific AAD groups.
After your organization’s AAD administrator approves the permissions requests, the Hoylu Suite administrator will need to login to the Hoylu Management Portal with their AAD credentials.
The Azure AD Administration menu option now gives administrators the ability to select specific groups to license.
Members of licensed groups will be automatically assigned a license when they login and create a Hoylu account.
To license a group, select a group from the Available Azure AD Groups list and with the button move it into the Azure AD Groups Licensed for Hoylu list.
To remove a group from licensing, select a group from the Azure AD Groups Licensed for Hoylu list and with the button move it into the Available Azure AD Groups list.
Account & License Administration: Understanding Users and Licenses
Organization user accounts and licenses can be managed on the Users page.
• Total Users is the total number of users in your organization; then broken down by those that are Licensed and Unlicensed.
• Available Licenses is the total number of licenses able to be distributed to users.
• Expiration Date is the date the licenses expire.
• No. of Licenses is the number of licenses available to be distributed.
• If the Auto-assign licenses to users when they log-in is selected, Hoylu will automatically assign available licenses to organization user accounts. The license is assigned when a user signs in.
Account & License Administration: Viewing Users
When a member of a licensed group in your organization signs-in to Hoylu, a user account is created. These accounts can be viewed on the Users tab.
Currently Registered Users is a list of all member accounts within an organization.
- The Expiration Date is the date when the user’s license expires.
- The Last Access Date is the date when the user last logged in to a Hoylu application.
- The Filter names… search will filter on both name and email address.
Administrators cannot delete a user account. Administrators can remove an account from an organization. When an account is removed, the license is returned to the pool of available licenses.
Note: Any shared workspaces that are created while a user is with an organization continue to be “owned” by an organization after the user is removed. This is important for organizations that restrict workspace access to organization members.
To remove an account from an organization:
- On the Users page, scroll down to the Users List
- Select the account(s) to be removed by checking the box to the left of their name
- Click on the Remove Users button
- A Remove Users confirmation modal display
• To cancel the removal – click Cancel
• To continue with the removal – click OK
The Company Information page is not editable by organization administrators. This page provides visibility into the information that Hoylu has for an organization.
Administrators can view existing and add new departments.
To add or remove an administrator from your organization, contact email@example.com.
Contact firstname.lastname@example.org for updates to the following:
• Company Name
• Company Domain Name(s)
• Company Admin Emails
Documents can only be accessed by company accounts
When selected, this policy applies to all shared workspaces that are (and were) created by user accounts that are members of the organization. Authenticated accounts that are outside of the organization will have no access to organization workspaces. There is no guest (unauthenticated) access to organization workspaces.
However, there is a sub-policy that, once acknowledged, will allow workspaces to be shared with external users. On the application level, the workspace admin would need to add those external users into workspace permissions so they can have explicit access to the shared workspace.
Documents can only be edited by company accounts
When selected, this policy applies to all shared workspaces that are (and were) created by user accounts that are members of the organization. Authenticated accounts that are outside of the organization will have read-only access to the workspaces. Guest (unauthenticated) read-only access to workspaces is also enabled.
Require passwords for all documents
When selected, this policy applies to all workspaces that are newly created and shared by user accounts that are within the organization. Existing shared workspaces will not be required to set a password. The only restriction on password quality is that the password must have a minimum of 8 characters.
Workspaces are private by default
When selected, this policy applies to all newly created workspaces by user accounts that are members of the organization. The checkbox 'make this workspace private' is enabled by default.
Workspace admin permissions to all organization administrators
When selected, this policy applies to all workspaces that are (and were) created by user accounts that are members of the organization. User accounts with organization administrator role are granted admin permissions to all workspaces.