SSO best practice for Hub & Spoke

This articles outlines best practices for integrating your IdP in a Hub & Spoke environment.

The 6clicks Hub & Spoke environment provides a powerful way to separate and segregate data, use cases, and user access. To ensure the benefits of 6clicks Hub & Spoke are realized, 6clicks recommends the below SSO configuration with your respective identity provider (IdP).
When setting up in your IdP (Azure AD (EntraID), Okta, etc.), the Hub and each Spoke should be their own application, meaning they will have their own Client ID, respectfully. This ensures a one-to-one mapping between your teams (Hub and Spokes) and the 6clicks applications within your IdP. While we acknowledge that this can create some initial overhead in setting up SSO in your IdP, it, in turn, ensures a more secure configuration and a better overall user experience for your users accessing the Hub and Spokes.
SSO Best Practice for Hub and Spoke
With respect to security, this configuration ensures that the power of 6clicks Hub & Spoke is maintained at the IdP level, with a clear and logical boundary between all teams, providing an additional safeguard around managing user access to teams, and in turn data, within your Hub & Spoke environment. For administration personnel managing your SSO, it provides clear guardrails to ensure they are adding the correct users to the right team and reduces the likelihood of human error when provisioning.
One further benefit for SSO administrators relates to user role creation and management. Having a one-to-one mapping between IdP applications and teams in a Hub & Spoke environment gives you the flexibility to use the same user roles within all your Spokes or create different user roles for different Spokes, depending on your use cases and organizational needs. 
From a user experience perspective, for users logging into 6clicks, having an application corresponding to a specific team in your Hub & Spoke environment gives them a clear and straightforward way to navigate to the team they need to access directly from your IdP. This is especially true given that they will only see the applications in your IdP that correspond to the 6clicks teams they have direct access to rather than seeing all teams, even the ones they don't have access to. 
Implementing the recommended Single Sign-On (SSO) configuration for the 6clicks Hub & Spoke environment ensures a more secure and streamlined user experience. By treating each Hub and Spoke as separate applications within your identity provider (IdP), you can effectively manage data segregation, user access, and user role assignment. This approach strengthens security, minimizes errors, and provides clear navigation for users accessing specific teams. The one-to-one mapping between IdP applications and 6clicks teams offers flexibility and control over user access and roles, ultimately enhancing the overall functionality and efficiency of your Hub & Spoke environment.
 
For more information on SSO, please see: