SSO best practice for Hub & Spoke

The 6clicks Hub & Spoke environment provides a powerful way to separate and segregate data, use cases, and user access. To ensure the benefits of 6clicks Hub & Spoke are realized, 6clicks recommends that the hub and each spoke should be configured as distinct applications within your IdP (Entra ID, Okta etc.), meaning that each will have their own Client ID. In some circumstances having a single IdP application associated with more than one spoke may be preferable from a user experience perspective, however having separate applications ensures a one-to-one mapping between your teams and the 6clicks applications within your IdP, and an overall more flexible and secure configuration.

 

 

This configuration ensures that the power of 6clicks Hub & Spoke is maintained at the IdP level, with a clear and logical boundary between all teams, providing an additional safeguard around managing user access to teams, and in turn data, within your Hub & Spoke environment. For administration personnel managing your SSO, it provides clear guardrails to ensure they are adding the users to the correct team and reduces the likelihood of human error when provisioning.

 

One further benefit for SSO administrators relates to user role creation and management. Having a one-to-one mapping between IdP applications and teams in a Hub & Spoke environment gives you the flexibility to use the same user roles within all your Spokes or create different user roles for different Spokes, depending on your use cases and organizational needs.

If you do choose to have multiple spokes associated with a single IdP application, you should rely on 6clicks role assignments, rather than IdP application assignment, to control which spokes users have access to. Create specific groups within your IdP for each spoke and then customize the role mappings within 6clicks accordingly to allow for distinct privileges across spokes.