Summary
SSO, which stands for Single Sign-On, is a session and user authentication service that allows a user to use one set of login credentials (e.g., work/ company credentials) to access multiple applications. For Effectory this is applicable for the questionnaires, My Effectory and My Feedback.
What are the benefits of using SSO?
SSO is a big advantage for users, because:
- Control. By using SSO your organization will provision access based on active accounts in the email extensions that are managed by your organization.
- Greater security and compliance. SSO offers the possibility to make the network safer. Adding accounts for new employees and deactivating accounts at the end of employment is also easier with SSO, because the client is in control.
- Improved usability and employee satisfaction. By using SSO you only have one way of signing in. A user doesn’t have to remember multiple login names and passwords, when using different applications.
- Lower IT costs.
What are the applications of Effectory that I can use SSO for?
Effectory supports Single Sign-On in our systems, for logging in to questionnaires, My Effectory and My Feedback. It is highly recommended from our side to use SSO.
What systems are (not)supported by Effectory?
In order to use your own identity provider to log in to Effectory systems, some information has to be provided so that the configuration can be set up in our systems. Effectory enables SSO for customers if the customer uses Azure Active Directory, OpenID Connect SURFConnext & AFDS. If you use Office365 through your company account, it is an indication that you use Azure Active Directory.
Not supported systems and protocols
Unfortunately we cannot support all systems and protocols used for Single Sign-On. Effectory does not support the SAML protocol and does not support ADFS 3.0 or below. ADFS starting from Windows Server 2016 (v4.0) is supported by using the OpenID Connect protocol.
How to set up SSO?
Provide the right information to set up the configuration of SSO in our systems so that you can use your own identity provider to log in to Effectory systems.
See the tabs below for the supported systems and the steps to take to set up SSO.
Follow these steps (see also screenshot below) if you're using Azure AD. You probably need an Azure administrator to perform this, an HR contact might not have enough permissions to do this. Next, our development team will approve your request so that you can log in using your own Azure AD.
If you use an OpenID Connect protocol, please send the requirements listed below to helpdesk@effectory.com and then proceed to configure a client for Effectory in your identity provider. When setting up the configuration in your identity provider, take into account the following:
• A claim with the name “email” is required for authentication. The claims “given_name” and “family_name” are not required, but it would be preferable if they were also included in the token.
• Two scopes will be used to get the required information: ‘openid’ and ‘profile’.
• The callback URL used will be https://signin.effectory.com/openid/[identifier]/callback, where [identifier] is the identifier described below.
We recommend to arrange a test account so that Effectory’s development team can test the SSO implementation before enabling it for everyone.
1. An identifier for your identity provider, to be used by Effectory. A unique identifier is required to discern between different identity providers. This identifier will then be used in the login URL (https://signin.effectory.com/identifier) and in the callback URL. Provide your unique identifier using only alphanumeric characters, and no special characters or diacritics.
2. The list of domain names that are used in your provider. Please provide a comma-separated list of domains, e.g.: @example.com,@domain.com,@company.com. It is currently not possible to use private e-mail address like Gmail.
3. The e-mail address of the technical contact, that can be contacted in case of questions or issues.
4. Share the OpenID well-known endpoint. This is your authority URL followed by ‘/.well-known/openid-configuration’, e.g. https://login.domain.com/.well-known/openid-configuration.
5. Share your ClientId, a unique ID in your identity provider that allows Effectory to communicate with it and authenticate.
1. Your organization's name as known by SURFconext. Alternatively, you can look up your organization in the SURFconext metadata and provide us with the EntityID.
2. The list of domain names that are used in your provider.
Please provide a comma-separated list of domains, e.g.: @example.com,@domain.com,@company.com. It is currently not possible to use private e-mail address like Gmail.
3. The e-mail address of the technical contact, that can be contacted in case of questions or issues.
Once we have received the necessary information, we will arrange together with SURFconext that your organization can log in to Effectory's software.
Comments
Please sign in to leave a comment.