Single Sign-On
What is SSO?
Single sign-on (SSO) is a user authentication tool that enables users to securely access multiple applications and services using just one set of credentials.
How does SSO work?
SSO is built on the concept of federated identity, which is the sharing of identity attributes across trusted but autonomous systems.
When a user is trusted by one system, they are automatically granted access to all others that have established a trusted relationship with it.
Ardexa supports SSO using SAML 2.0.
What is SAML 2.0?
Security Access Markup Language (SAML) is an open standard that encodes text into machine language and enables the exchange of identification information.
SAML 2.0 is specifically optimised for use in web applications, which enables information to be transmitted through a web browser
How does SAML 2.0 work?
When a user tries to access a site, the identity provider passes the SAML authentication to the service provider (Ardexa), who then grants the user access to the application.
Identity Provider
An identity provider, or IdP, stores, maintains and manages users' digital identities.
The IdP can either directly authenticate the user or can provide authentication services to third-party service providers (web application like Ardexa).
Service Provider
A service provider needs the authentication from the identity provider to grant authorization to the user.
In this scenario, User has successfully connected to the company's Identity Provider (i.e. MS Entra). Given that the company's IdP and Ardexa have established a trusting relationship, the user will only need to put in their email and no password is required.
SSO - SAML Login
Login
Users that have been invited with an Identity Provider may login by clicking the link at the bottom part of the login button: Continue with SAML SSO
Only user email is required to login. Users will be redirected to the Identity Provider for further authentication.
SSO User invite
NOTE: Ardexa admins must initially set an Identity Provider for the workgroup.
This is set in Admin > Workgroup > SETTINGS tab > SINGLE SIGN-ON tab
New SSO User
Once this is set, admin or workgroup owners may invite users by ticking the Mandatory login using SAML SSO
A confirmation dialog will be displayed to confirm that the user will login via the IdP
After confirming, set the appropriate permissions for the new user.
The user shall receive an invitation email that specifies the type of login method to be used, in this case, SSO login.
"Single Sign-on: This invite will enable you to login using SAML SSO associated in '[name]' workgroup."
The invitation link will redirect the user to the registration page of the App.
New users invited to login via SAML SSO Identity Provider are no longer required to setup their password.
After a successful registration, users will be redirected to the login page.
In the login page, click "Continue with SAML" and supply the email associated with the Single Sign On.
Once the invite has been accepted, the invite link sent via email will no longer be available.
Multi-factor Authentication (MFA)
Once SSO login is successful, depending on the IdP's specification, MFA may or may not be required.
However, by default, Identity Providers are configured with a required MFA.
MFA Required
Users will be asked to enable and setup their Multi-factor Authentication.
MFA Not Required
Users is redirected to the default page setup for the workgroup, otherwise to the default landing page of the app
Standard Login User transition to use SSO
Standard login users (those who sign in using an email and password) can be invited to use SSO by administrators or workgroup owners, provided that an Identity Provider has been configured for the workgroup.
Administrators and workgroup owners are exempt from the SSO transition process.
Go to Admin > Access > Select a user > Edit permissions
Tick the "Mandatory login using SAML SSO"
Confirm the transition invite > then Update
Note that the user's SSO login column will display a warning icon. This indicator will be cleared once the user has accepted the SSO login method on their end.
The
dev_userwill receive an email notification indicating that they can now proceed to accept the SSO login method, along with instructions and guidelines on how to use it.
Upon logging in through the standard method, transitioning users will see a pop-up message notifying them about the availability of the new SSO login method.
Users may accept at a later time in the Profile page.
Clicking Accept will redirect the users to the Identity Provider and will be asked to login.
A successful IdP login will redirect the user back to the Ardexa App and enable the SSO login method for future access.
If the IdP settings in the Ardexa app is set to NOT required, user's MFA will be turned off after enabling SSO.
If the login to the Identity Provider is unsuccessful, the user will be returned to the Ardexa App with an error notification. In this case, the SSO login method will not be activated, provided the error did not originate from the Identity Provider.
Last updated
Was this helpful?