Single Sign-On Merck Group

Merck Group provides tools, services, and digital platforms to empower researchers from a wide range of fields to work more effectively. They offer one of the broadest portfolios in the industry for scientists and products for pharmaceutical development and manufacturing.

Merck Group, a large organization with over 65,000 employees, found it challenging to provide Confluence access to all of their employees. They wanted to grant access to certain unlicensed users for their Confluence spaces and pages. However, they faced a dilemma with two possible solutions: allocating new licenses for all their users or making the pages public. While the former option meant increased costs, the latter posed security risks due to global accessibility of the page links. Neither of these options was viable for them.

The prerequisite for the solution is that guest users should be present in the Merck’s Identity Provider (IdP). The miniOrange SSO plugin acts as a bridge between Merck’s Confluence and the IDP, facilitating authentication.When a guest user tries to access Merck Group's Confluence, they are automatically redirected to the IDP for authentication. Upon successful authentication, the user is granted access to Confluence with restricted permissions.

Guest users authenticated through Merck’s IDP can access designated Confluence public spaces and pages. This allows Merck Group to control which content is accessible to guest users and for how long it would be accessible, ensuring data security and compliance.

Merck Group operates a single Jira instance with two different base URLs assigned to different sets of users.They require these users to perform Single Sign-On (SSO) and be redirected to their respective base URLs after SSO authentication. This means that if a user is accessing Jira from jira.abc.com, they should be redirected back to jira.abc.com after SSO, and if from jira.xyz.com, they should be redirected to jira.xyz.com after successful authentication from Azure AD.

In response to Merck Group's challenge with their Jira instance being accessible on two different base URLs, we developed a customized SSO solution tailored to their specific needs.

Here's how we addressed their needs-

Configured Separate Apps on Azure AD: To handle the distinct SAML requests effectively, we set up two separate applications on Azure AD. Each application corresponds to a specific base URL from Jira. This segregation allows Azure AD to differentiate between the incoming requests and process them accordingly.

Implemented Support for Multiple ACS URLs: On the Jira side, we enhanced the plugin to support multiple Assertion Consumer Service (ACS) URLs. This enables Jira to accommodate SAML requests directed to different ACS URLs, based on the specific Azure AD application configured. Consequently, each request is routed correctly for authentication and authorization. Additionally, we customized the Jira SAML metadata to synchronize with the base URLs.This strategy enables Jira to recognize and redirect users to the correct base URLs without requiring any adjustments on the Identity Provider's side.

By configuring separate apps on Azure AD and enabling support for multiple ACS URLs within Jira, we effectively handle the diverse SAML requests originating from the same Jira instance. This ensures seamless integration with Azure AD, enhancing the overall authentication and authorization processes and effectively addressing Merck Group's challenge.

• Cost Savings: By utilizing the guest login functionality of miniOrange's SAML SSO plugin, Merck Group avoided the need to provide licenses to all employees. This resulted in substantial savings on licensing costs.
• Enhanced Security: Our solutions ensured that guest users were authenticated securely, mitigating significant security risks. This approach helped maintain the integrity and confidentiality of Merck Group's Confluence spaces and pages. Efficient Resource Utilization: Merck Group was able to effectively manage two different sets of users accessing the same Jira instance based on their respective base URLs. This streamlined resource utilization and improved overall system efficiency.
• Seamless SSO Experience: The implementation of our solutions made the Single Sign-On (SSO) process seamless, easy, and secure for all users. This enhanced user experience and productivity within Merck Group's IT ecosystem.