Single Sign-On (SSO): How to enable centralized authentication
In this article
What Single Sign-On (SSO) is
Single Sign-On (SSO) is an authentication mechanism that allows users to access an application using a single set of credentials managed by an external Identity Provider (IdP). An Identity Provider is a system that verifies a user’s identity, such as a corporate identity or access management system.
Instead of creating and maintaining separate usernames and passwords, users authenticate once with their organization’s identity system. They are then securely signed in to the platform without additional login steps.
The platform supports SSO using the following industry-standard protocols:
- SAML (Security Assertion Markup Language): A standard for exchanging authentication and authorization data between systems.
- OpenID Connect (OIDC): An identity layer built on OAuth 2.0 that uses tokens to authenticate users.
Both protocols provide secure, centralized authentication while delegating credential management to your Identity Provider.
Benefits of Single Sign-On
Single Sign-On provides advantages for both users and organizations.
-
Improved user experience
Users sign in once and access the platform without repeated login prompts. -
Enhanced security
Authentication is centralized, allowing enforcement of security policies such as multi-factor authentication (MFA). MFA requires users to verify their identity using more than one method. -
Simplified user lifecycle management
User onboarding, offboarding, and access changes are managed directly in the Identity Provider. -
Reduced operational overhead
Fewer password-related issues reduce support requests and administrative effort. -
Enterprise-ready integration
SSO meets enterprise requirements and integrates with existing identity and access management systems.
How Single Sign-On (SSO) works
Single Sign-On relies on a trust relationship between the platform (acting as the Service Provider or Client) and an external Identity Provider (IdP).
-
User attempts to access the platform
The user navigates to the platform and initiates the login process. -
User is redirected to the Identity Provider
The platform redirects the user to the configured Identity Provider. -
User authenticates
The user signs in using organizational credentials. Additional security checks such as MFA may apply. -
Identity Provider validates the user
The Identity Provider confirms the user’s identity and generates a secure authentication response. -
Authentication response is sent to the platform
The Identity Provider redirects the user back to the platform. -
Platform grants access
The platform validates the response, establishes a user session, and grants access.
Main difference between SAML and OIDC
- SAML uses assertions.
- OIDC uses tokens.
The user experience remains seamless in both cases.
How to set up Single Sign-On (SSO)
The setup process ensures that SSO is secure and functional. A technical contact from the Professional Services team supports you throughout the implementation.
Step 1: Configure authentication attributes
Your Identity Provider must send required user attributes during authentication.
These attributes are mandatory for both SAML and OIDC:
- User’s first name (example: Paul)
- User’s surname (example: Smith)
- User’s email address (example:
paul.smith@domain.com)
Attribute handling by protocol:
- SAML: Attributes are included in the SAML assertion.
- OIDC: Attributes are provided as claims in the ID token or through the user info endpoint.
Step 2: Exchange configuration details
The configuration process depends on the selected protocol.
SAML setup
Provide your Identity Provider metadata to the assigned technical contact. This metadata must include:
- Security certificate(s)
- Authentication endpoints (URLs)
In parallel, configure your Identity Provider using the SSO metadata provided for:
- The test environment
- The production environment
OIDC setup
Provide the following Identity Provider details:
- Issuer URL
- Client ID
- Client secret
- Authorization, token, and user info endpoints (if not discoverable)
- Signing certificate or JWKS endpoint
You will receive the required platform configuration details for:
- The test environment
- The production environment
Step 3: Verify configuration in the test environment
Once the test environment is configured, a workshop is organized between your teams and the implementation team.
During this workshop:
- The SSO flow is tested end to end
- User attributes are validated
- Login and logout scenarios are verified
Step 4: Deploy SSO in the production environment
If testing is successful, the same SSO configuration is deployed in the production environment.
Deployment is completed within 72 hours.
Step 5: Verify SSO in the production environment
A final workshop is organized to validate, in the production environment, the same scenarios tested previously.
If validation is successful, all users can access the platform using Single Sign-On.