Skip to content
English
Contact the Effectory Helpdesk
Go to my.effectory.com
  • There are no suggestions because the search field is empty.

Single sign-on (SSO) for Effectory software

Security and ease of access are vital for your organization. That's why we offer single sign-on (SSO)—a secure and efficient way to access multiple Effectory applications using just one set of login credentials. In this article, we’ll explain what SSO is, its benefits, and how it integrates with Effectory systems.

 

Understanding SSO

SSO is a user authentication service that enables you to use one set of login credentials—typically your company or work credentials—to access multiple applications. Once you log in to one SSO-enabled system, you automatically gain access to other connected platforms without needing to log in again.

 

The benefits of using SSO

SSO provides several key benefits:

  • Better control: Your organization can manage access based on active accounts within your company’s email domain, ensuring only authorized users can log in
  • Enhanced security and compliance: Easily add new employees or deactivate accounts for departing employees, keeping your systems secure and compliant
  • Improved usability: With SSO, users only need to remember one set of login credentials, making it easier and faster to access multiple applications
  • Reduced IT costs: Fewer password-related issues mean less demand on your IT support, saving time and resources

 

SSO for Effectory applications

Effectory supports SSO for all our systems. This includes:

  • Questionnaires
  • My Effectory
  • Your Feedback

We recommend setting up SSO for a smoother and more secure user experience across these applications.

 

Set up instructions per identity provider

We support and recommend the use of SSO to securely access our systems. Below you will find general requirements and specific instructions to integrate with:

  • Azure Active Directory/Microsoft Enterprise-ID
  • OpenID Connect
  • SURFconext
  • ADFS

To be able to use SSO without issues, we need specific data delivered to us. Please make sure to deliver the User Principal Name (UPN)  to us when being asked for employee data.

 

SSO with Azure Active Directory/Microsoft Entra ID

Follow these steps if you're using Azure AD/Microsoft Entra ID.

 

SSO with OpenID Connect

If you use an OpenID Connect protocol, please send the requirements listed below to  helpdesk@effectory.com and then proceed to configure a client for Effectory in your identity provider.

When setting up the configuration in your identity provider, take into account the following:

  • Effectory supports: The implicit and the authorization code flow in OpenID Connect.

  • Claims required: A claim with the name “email” is required for authentication. The claims “given_name” and “family_name” are not required, but preferable.

  • Scopes: Two scopes will be used to get the required information: ‘openid’ and ‘profile’.

  • Callback URL: The callback URL used will be https://signin.effectory.com/openid/[identifier]/callback, where [identifier] is the unique identifier for your identity provider.

We recommend arranging a test account so that Effectory’s development team can test the SSO implementation before enabling it for everyone.

 

OpenID Connect SSO requirements

To set up the configuration required, the following needs to be provided to Effectory:

  1. An identifier  for your identity provider, to be used by Effectory. A unique identifier is required to discern between different identity providers. This identifier will then be used in the login URL (https://signin.effectory.com/identifier) and in the callback URL. Provide your unique identifier using only alphanumeric characters, and no special characters or diacritics.

  2. The list of domain names that are used in your provider. Please provide a comma-separated list of domains, e.g.: @example.com,@domain.com,@company.com. It is currently not possible to use private email address like Gmail.

  3. The email address of the technical contact, that can be contacted in case of questions or issues.

  4. Share the OpenID well-known endpoint. This is your authority URL followed by ‘/.well-known/openid configuration’, e.g. https://login.domain.com/.well-known/openid-configuration.

  5. Share your ClientId, a unique ID in your identity provider that allows Effectory to communicate with it and authenticate.

  6. If you are using authorization code, provide the client secret generated by your identity provider. Make sure not to share this via email. Instead, upload it to a secure location like My Effectory.

 

SSO with SURFconext

Effectory supports SSO with SURFconext. If your organization uses SURFconext, send an email to helpdesk@effectory.com and ask for a SURFconext integration. Make sure that you provide the following information:

  1. Your organization's name as known by SURFconext or the EntityID from the SURFconext metadata

  2. The list of domain names used in your provider (comma-separated). Please note that it is currently not possible to use private email address like Gmail

  3. The email address of your technical contact

 

SSO with ADFS

ADFS starting from Windows Server 2016 (v4.0) is supported when you use the OpenID Connect protocol.

 

Unsupported systems and protocols for SSO

Effectory does not support the SAML protocol and does not support ADFS 3.0 or below.