Emplifi is fully committed to the security and protection of our users and provides the ability to log in to the platform via single sign-on providers.
The single sign-on (SSO) Authentication is an efficient login process in which users can log in to several applications with a single set of credentials. It is useful for organizations that use multiple applications, either daily or occasionally. The SSO allows organizations to control the strength of their employees’ passwords and also eliminates the need for them to remember a set of usernames and passwords.
What you will learn in this article:
- Compatibility
- Why use SSO to log in to the Emplifi Platform?
- Activating SSO for the Emplifi Platform
- Setting up SSO for the Emplifi Platform
- Testing the configuration before activating the SSO
- Logging in when the SSO is activated
- Users
- SSO Parameters & Attributes
Compatibility
Emplifi uses the XML-based Security Assertion Markup Language (SAML) protocol for SSO. The Emplifi SSO authenticator will work with all identity providers (IdP) that support the SAML 2.0 protocol, including Okta, OneLogin, Google, Microsoft Azure, Shibboleth, and many others.
Why use SSO to log in to the Emplifi Platform?
The benefits are many, namely, for example:
- Your IT department will have control over the password strength required for your applications.
- Minimizing the possibility of a security breach
- Easy offboarding
- No more “forgotten passwords”
- No need to remember multiple sets of credentials
Activating SSO for the Emplifi Platform
To activate the SSO, you can contact your customer success manager or you can request the integration through the Integrations & API section in Settings in your Emplifi account:
- Go to Emplifi Platform account settings
- Open Integrations & API
- Find the SSO Integration and hit the Request button. Your customer success manager will be notified about your request and they will get back to you as soon as they can.
Once the SSO is activated for your account, it will need to be set up.
Setting up SSO for the Emplifi Platform
To set up the single sign-on, head to the SSO self-service section in the Settings section of the Emplifi Platform. The section is available only after the feature has been activated, and by default, it's only visible to users with admin rights.
The following part of the guide is technical. You may need to involve your IT department or your identity provider (IdP) administrator in the process.
1. Click the “Set up SSO” button to begin the process.
2. Choose or set up your SSO provider.
2a. Emplifi is listed in Okta, Onelogin, and MS Azure catalogs. If you have one of these mentioned IdPs, please select one.
2b. Many other providers are compatible with the Emplifi SSO integration as long as they use the SAML 2.0 protocol. If this is your case, please select "Other" and let us know your provider's name.
3. Set up your login domain. The login domain is a unique URL address that your users will use to log in to Emplifi. For example companyname.app.emplifi.io.
4. Check and set up your SSO parameters and attributes.
4a. If you're using one of the cataloged identity providers (Okta, Onelogin, or MS Azure), you can refer to this article for a detailed description of how to easily set up the Emplifi SSO.
4b. If you’ve selected “Other” for the identity provider, you’ll need to set up various parameters and attributes on your SSO provider's side.
The configuration options and attribute names vary from provider to provider. We’re using the most common names. For more detailed descriptions please see the section “SSO Parameters & Attributes” below.
5. Use the Emplifi metadata URL that is generated for your selected domain, to configure the Emplifi Platform in your SSO provider.
6. When you finalize the configuration and insert the Emplifi metadata, you should be able to generate your identity provider’s metadata for Emplifi. Depending on your IdP, the data can be in the format of XML URL, or you may need to enter the parameters manually. If that’s the case, you need to switch to “Manual configuration” and copy-paste your Login URL, Certificate, and Optional Logout URL.
7. When everything is set, you can decide if you'd like to activate the SSO immediately (please see the next step), or later (click the "Save & activate later" button).
If you decide to activate it later, Emplifi will keep your SSO setup pending for the next 60 days.
If you do not activate the SSO within 60 days, Emplifi will release the domain. If at this time, you still wish to set up an SSO, you will have to start the process from the beginning.
8. When you decide to activate your SSO you can select from two options.
The option “Activate SSO for all users” will switch all users to use the SSO to log in to the Emplifi platform. With this option, nobody from your account will be able to use their own credentials to log in and you won’t be able to add any user outside your SSO provider
The option “Activate SSO for some users” gives you an option to select already existing users in your Emplifi platform to continue using their current login credentials. And eventually, add a new user outside your SSO provider.
9. If “Activate SSO for some users” is selected in the next step, please select the users you would like to exclude from the migration to SSO login users.
Testing the configuration before activating the SSO
Before we activate the SSO for your Emplifi account, we need to ensure the setup is correct. For that purpose, we run a test that consists of:
- Checking for potential user conflict in other Emplifi accounts. A conflict can occur if you have several Emplifi accounts, and some users are in more than one of them. In such a case, you will be asked to remove the problematic users, or you can ask the Emplifi Support Team for help. The situation is displayed in the following screenshot.
- Confirming all users are using the same email to log in to your SSO and Emplifi account.
- Confirming you finished the SSO setup with the identity provider.
- Checking the connection to your SSO. Please make sure you are logged in to the Emplifi Platform with the same email address you use in your SSO.
In a new tab (window), your SSO login page will open. Please log in the same way you’re used to for any other application already in your SSO.
If everything is checked and confirmed, you should see one of the messages below. The message type depends on whether you’re activating the SSO right away or saving it for later.
Logging in when the SSO is activated
When the migration is complete, you can bookmark your new login page.
If you're used to logging in through the Emplifi login page, don’t forget to switch to SSO login next time you want to log in.
Users
Each user is recognized by an Identifier (nameId), which must be the company email (email set on the IdP side).
It is crucial that all users have the correct Identifier filled in the Emplifi account so they are recognized when attempting to log in via the SSO provider. Otherwise, their access will be denied.
If a user has access on the SSO IdP side but doesn’t have the access set up in the Emplifi account, the verification/authentication will fail.
- Deprovisioning a User
Deprovisioning a user on the IdP side is immediate and will prevent the user from logging in to the Emplifi account. However, they will still be listed as a user in the Emplifi account until manually removed by the admin.
- Login
The user can log in via companyname.app.emplifi.io and will be redirected to the external SSO provider login page for authentication (for example, companyname.onelogin.com/login).
If the user is set up properly in both the SSO provider and Emplifi account, they will be redirected to the Emplifi account and will be able to log in successfully.
- Log out
Any user can log out by pressing the Log out button in the Emplifi app.
SSO Parameters & Attributes
During the process, you may come across various parameters and attributes you need to set up in your IdP. Those parameters are highly specific for each provider and it’s hard to list all of them. Below we try to list and define the most important or common terms and their variations in different providers, to understand when setting up your SSO.
Please always consult the setup with the IdP representatives or check the guidelines of your SSO provider.
Identifier/Entity ID/Client ID:
This is the unique public identifier that is assigned to the client application. It is the value of the “entityID” keyword in the XML file with the metadata.
Redirect URL/Reply URL/Assertion Consumer Service (ACS) URL:
The URL address to which the user is redirected once they’re authenticated and authorized. The URL specifies where the application expects to receive the SAML token. The authorization server sends the code or token to this URL, so you must register the correct location as part of the app registration process. You can use the additional Redirect URL fields to specify multiple Redirect URLs.
Login URL/Sign-in URL/Application URL:
The single sign-on initialization URL that needs to be used to log in. When a user opens this URL, the service provider redirects the user to the IdP to authenticate and sign in.
(Optional) Logout URL/Sign-out URL:
A URL you configure in your Identity Provider to log a user out from Emplifi when the Identity Provider initiates Single Logout (SLO).
Name ID format:
Defines the name identifier formats supported by the identity provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support the following types of identifiers:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
In Emplifi SSO integration we use Name ID = user.email or similar.
Recipient
The recipient is associated with the Subject element of SAML Assertion, which is about the user or subject for which the authentication is performed. IdP awards subject data to a particular recipient (the service provider), who can act on the Assertion.
Audience
Specify the targets that are the recipients of the token.
The audience is associated with the Condition element of SAML Assertion that tells you under which security conditions or context, the assertion is valid. It provides terms and conditions relating to such validity (for example, time validity of assertion, who can consume the assertion, etc).
Typically, the Audience will be the EntityID of the Service Provider.
RelayState
RelayState is a URL parameter that can be used to redirect the user to a different application after the authentication flow finishes.
Attributes that should be added to SAML assertion:
UserEmail = User’s email
FirstName = User’s given name
LastName = User’s surname
If attributes are present in the SAML response, we set up and update the user each time they log in. If missing, the user is visible only by their email address which must be a unique nameID identifier of the user.