Learn how to enhance security and at the same time ease the login process for all users by using SSO. 





Technical overview
• Protocol: 
SAML 2.0 involving interaction between an Identity Provider (IdP) and a Service Provider (SP).

• Identity Provider (IdP) / Service Provider (SP) roles: 
Accutics serves as the SP, relying on your company's identity management system (IdP) to verify users. Both IdP and SP initiated flows are supported. 

• Authentication and permissions:
Manual, without Just-In-Time (JIT) provisioning. Users must be invited to the platform and their permissions are managed individually, including setting SSO requirements.





SAML 2.0 Single Sign-On (SSO) allows you to enhance both security and convenience by authenticating users through a single set of credentials that your organization manages. 


In other words, with SSO, users can sign in to your company's identity provider once and then be able to access Accutics without creating any further credentials. 


SSO can be enabled from the Account settings and is applied to all users. However, please note that 'applying' means that all users can use SSO but are not required to do so. The requirement to use SSO is set when inviting them. See the section on 'Applying SSO requirements to users'.


Note: Only users with an admin role can access Account settings. Please, reach out to us if you need to upgrade your user role or add more admins.




Setting up and enabling SSO (admins)

Note: Consider proceeding with the assistance of your IT department when setting up SSO. They can provide the necessary information and are likely familiar with the process.


To enable SSO you need an Admin role to access the Account settings first. Hence:

 

Click on the divisions bar > Settings icon by the account name > 'Security' > 'SAML 2.0 Single Sign-On (SSO)'


At this point, the setup page will open. Here you'll need to set up the SSO connection:


  1. Provide SSO configuration details

This is information that you need to obtain from your Identity Provider (IdP) and comprises entity ID, SSO URL, and certificate.


  1. Configure your IdP with the Accutics details

Configure your IdP with the metadata under 'Accutics details'. This normally consists in adding Accutics as a Service Provider (SP) and inputting the entity ID, response (ACS) URL, and certificate we provide. 


Note: 
• SSO login URL is the URL that users will use to sign in to Accutics after the SSO is in place.
• SP metadata file contains the fields: SP entity ID and SP response (ACS) URL. 


  1. Enable and save

Click 'Enable and save' to finalize the setup. You can now require SSO when inviting users to the platform.


  1. Test

It is important that you test that the connection has indeed been established before starting to use SSO.


Once you enabled SSO, a confirmation banner will appear. Hence:

  1. Click the 'Test SSO Login' button 
  2. Enter your SSO credentials


You should now be redirected back to Accutics without needing any additional credentials. If so, the test succeeded. If you do not get redirected or encounter any errors, you may want to check your SSO settings again. 


Tip: You can find the SSO login URL under the 'Accutics details' section. A shortcut will also appear on the side of the SSO option on the Security page. 



Disable SSO

To disable an active SSO, you have to delete the current setup. 


From 'Account settings' > 'Security' > 'SAML 2.0 Single Sign-On (SSO)' > 'Delete' 



Note: Deleting an SSO setup will also remove the 'Require SSO' settings linked to the users. 

If this is not the intended outcome, you may consider simply updating instead. To do so, make the necessary changes to the setup and then click 'Enable and save'.




Applying SSO requirement to users (admins)

If you also set up MFA, you know that enabling MFA means that it becomes a requirement for all users. 

On the other hand, enabling SSO works a bit differently. The SSO requirement is tied to the single users when inviting them to the platform.  


Use case: When working with external stakeholders, you may want to require SSO for company employees only.

Additionally, not applying an SSO requirement to all users also ensures that at least one user has still access to Accutics in case of SSO failure. 


Hence, to set an SSO requirement for a new user:


'Settings' > 'Users' > 'Invite user' > Toggle on 'Single Sign-On'



To apply it to existing users instead:


'Settings' > 'Users' > Locate a user >  Click the more menu (...) > 'Edit user' > Toggle on 'Single Sign-On'


This requires the user to go through SSO whenever they are accessing Accutics. Once set, the SSO setting cannot be disabled. 


Note: A user may have already been required to use SSO by a company other than yours. In this case, the SSO setting for that user will be disabled since users can be related to one SSO only. 





Profile activation and login with SSO

With SSO enabled, your profile activation and login may vary depending on whether it is also a requirement for you. 


SSO enabled

This means that you have both options to use SSO or not. 


Without SSO, you would sign in from the Accutics login page and input your credentials - email and password. 


With SSO, you may simply use the SSO login URL that your manager provided to access Accutics through the company's identity provider. 


SSO enabled and required

If SSO is required for your profile, it means you will always need to use SSO and access Accutics through your company's identity provider. You can do this by using the SSO login URL that you you were provided.



Users with access to multiple companies

If you are an agency that works with many different customers, you may have access to different accounts in your profile. 


In this case, each company may require different authentication methods, and you may need to authenticate yourself again with the method required by the specific company.


Example

You have access to account A which requires SSO, and account B which requires MFA instead. 


In this scenario, to access account A, you'll have to use their SSO login URL to be authenticated using their identity provider. When switching to account B requiring MFA, you will be asked to input credentials and an OTP instead.