The single sign-on (SSO) authentication is an efficient login process in which users can log in to several applications with a single set of credentials. SSO is useful for organizations that use multiple applications, either daily or occasionally.
SSO allows organizations to:
-
Control the strength of their employees’ passwords.
-
Eliminate the need for the employees to remember multiple sets of usernames and passwords.
-
Minimize the possibility of a security breach.
-
Off-board employees easily.
Emplifi uses the XML-based Security Assertion Markup Language (SAML) protocol for SSO. The Emplifi SSO authenticator works with all identity providers (IdP) that support the SAML 2.0 protocol, including Okta, OneLogin, Google, Microsoft Entra ID (formerly Azure Active Directory), Shibboleth, and many others.
You must be an account admin OR permission “Manage Single sign-on” on Global in Account Roles TBD
Set up SSO in your Emplifi account
To set up SSO, you must be an Account Admin (see Account Roles).
Setting up SSO is a complex technical task. We recommend that you involve the help of your IT department or your identity provider (IdP) administrator in the process.
Steps:
-
Go to Settings -> Single sign-on.
-
Click Setup SSO.
The SSO configuration panel slides out. -
Choose your SSO provider.
-
If you use Microsoft Entra ID (formerly Azure Active Directory), OneLogin, or Okta, click the corresponding icon.
-
If you use a different SSO provider (it must use the SAML 2.0 protocol to be compatible with the Emplifi SSO integration), click Other, and enter your provider's name.
-
-
Enter your domain name.
The domain name will be used to construct the login domain URL, which is a unique URL address that your users will use to log in to the Emplifi account.
For example, if you enter the domain nameacme-org, the login domain URL will beacme-org.account.emplifi.io.
-
Click Next.
You are asked to configure your SSO provider.
You will have to switch to your SSO provider and perform some actions there, and then switch back to your Emplifi account. -
Depending on what SSO provider you chose at Step 3, choose one of the following options:
-
If you chose Microsoft Entra ID (formerly Azure Active Directory), onelogin, or Okta, go to Set Up SSO with the Cataloged SSO Providers and follow the instructions provided in the section about your SSO provider.
-
If you chose Other, go to Set Up SSO with Non-cataloged SSO Providers and set up parameters and attributes on your SSO provider's side.
-
-
Once you have configured your SSO provider and got the metadata (the URL to the metadata or the metadata file), enter the metadata details.
For easier configuration, we recommend that you use the metadata URL whenever possible. Using the metadata URL makes it easier - you don’t need to renew the cert- see “renewal” further down TBD-
If you got the URL to the metadata, choose Metadata’s URL and paste the URL.
-
If you got the metadata file, click Manual configuration, and enter the login URL and certificate as they are specified in the metadata file. Optionally, you can also enter the logout URL.
-
-
Click Next.
You are asked to finalize the SSO configuration.
-
Review the description of the available options further in this article, choose the option that fits your business needs, and proceed as described in the section of the article about the option that you chose:
-
Save & activate later
-
Activate SSO for all users
-
Activate SSO for some users
-
Save & activate later
This option saves the SSO configuration, but SSO will not be activated yet.
You can activate SSO at a later date from the saved configuration. You can edit the SSO configuration before activating SSO, or you can delete it and start over.
The saved SSO configuration will be kept pending for the next 60 days. If you do not activate the SSO within 60 days, the SSO configuration will be deleted, and the domain will be released. If you still want to set up SSO, you will have to start the process from the beginning.
Steps:
-
Click Save & activate later, and click Finish.
The popup dialog opens asking whether you would like to test the SSO configuration before saving it.
For information about what is going to be tested, see TBD. -
Do one of the following:
-
If you do not want to test the SSO configuration before saving it, click Skip test and save.
The SSO configuration is saved. -
If you want to test the SSO configuration before saving it:
-
Click Run test.
A new browser window opens, and you are asked to log in to your SSO provider. -
Log in to your SSO provider using the same email address that you use to log in to the Emplifi account.
Once you have successfully logged in, the login window closes, and the SSO configuration is tested and saved.
The confirmation dialog opens. -
Click I understand to close the confirmation dialog.
-
-
The saved SSO configuration will be kept pending for the next 60 days. To edit the saved SSO configuration, see TBD. To activate the saved SSO configuration, see TBD.
Activate SSO for all users
This option activates SSO in the Emplifi account, and all users are switched to using SSO to log in to the Emplifi account. No user in the Emplifi account will be able to use their own credentials to log in, and you will not be able to add users to the Emplifi account outside your SSO provider.
To be able to add a user outside your SSO provider, you have to change the SSO configuration from applying to all users to applying to some users only (see TBD).
Steps:
-
Click Activate SSO for all users, and click Finish.
The popup dialog opens prompting you to test the SSO configuration before activating SSO.
For information about what is going to be tested, see TBD. -
Select all the checkboxes to confirm that you have read and understood the statements, and click Run test.
A new browser window opens, and you are asked to log in to your SSO provider.
-
Log in to your SSO provider using the same email address that you use to log in to the Emplifi account.
Once you have successfully logged in, SSO gets activated in your account.
The login window closes, and the dialog opens confirming that SSO has been activated.
-
If you want to notify all the users in the Emplifi account that they now have to use their SSO credentials to log in, select the checkbox Send login information to all users.
-
Click Finish to close the confirmation dialog.
All users in the Emplifi account are now switched to using SSO to log in to the Emplifi account. If you selected to notify all the users in the Emplifi account about the SSO activation, each user has received an email with SSO login information.
Activate SSO for some users
This option activates SSO for some users in the Emplifi account and allows the other users to continue using their current credentials to log in. You will be able to add users to the Emplifi account outside your SSO provider.
Steps:
-
Click Activate SSO for some users, and click Finish.
You are asked whether you want to exclude some users from switching to SSO.
-
Do one of the following:
-
If you want to exclude some users from switching to SSO, select the users whom you would like to exclude, and click Exclude users.
The popup dialog opens prompting you to test the SSO configuration before activating SSO.
For information about what is going to be tested, see TBD. -
If you do not want to exclude any user from switching to SSO, click Skip.
The popup dialog opens prompting you to test the SSO configuration before activating SSO.
For information about what is going to be tested, see TBD.
-
-
Select all the checkboxes to confirm that you have read and understood the statements, and click Run test.
A new browser window opens, and you are asked to log in to your SSO provider.
-
Log in to your SSO provider using the same email address that you use to log in to the Emplifi account.
Once you have successfully logged in, SSO gets activated in your account.
The login window closes, and the dialog opens confirming that SSO has been activated.
-
If you want to notify the users who were switched to using SSO in the Emplifi account that they now have to use their SSO credentials to log in, select the checkbox Send login information to SSO users.
-
Click Finish to close the confirmation dialog.
All users in the Emplifi account except for those whom you have excluded are now switched to using SSO to log in to the Emplifi account. If you selected to notify the users in the Emplifi account who were switched to using SSO about the SSO activation, each user has received an email with SSO login information.
Testing the SSO configuration before saving it or activating SSO
Testing the SSO configuration consists of the following steps:
-
Checking for potential user conflicts
If you have several Emplifi accounts and some users are in more than one of them, you have to delete these users from the account where you want to activate SSO. You can do it yourself or contact Emplifi Support. -
Confirming that all users use the same email to log in to your SSO provider and the Emplifi account
-
Confirming that you provided metadata details for your SSO provider in the SSO configuration
-
Checking the connection to your SSO provider
You must log in to the Emplifi account with the same email address that you use to log in to your SSO provider.
Session duration
The SSO session timeout is seven days since the last activity (every time a user performs an action in the Emplifi account, their session timeout is reset to seven days).
The SSO provider can still log the user out at different time intervals based on its own rules and practices.
Log in to the Emplifi account with activated SSO
-
If you are used to logging in through the Emplifi login page, do not forget to switch to the SSO login next time when you want to log in.
-
The user can log in via
companyname.app.emplifi.ioand will be redirected to the external SSO provider login page for authentication (for example,companyname.onelogin.com/login).
If the user is set up properly in both the SSO provider and Emplifi account, they will be redirected to the Emplifi account and will be able to log in successfully.
The domain name will be used to construct the login domain URL, which is a unique URL address that your users will use to log in to the Emplifi account.
For example, if you enter the domain nameacme-org, the login domain URL will beacme-org.account.emplifi.io.
Log out of the Emplifi account with activated SSO
To log out of the Emplifi account, click your name in the bottom left, and then click the logout icon.
Edit and maintain the SSO configuration
To edit an existing SSO configuration (or a pending configuration):
-
Go to Settings.
-
Click Single sign-on.
-
Click Edit.
once you make a change, a draft is automatically created. it creates a draft of the current implementation.
you can either then activate SSO from the draft (and it will replace the current setup and become the main and only SSO setup) or you can delete the draft.
switch from “all users” to “some users”
this just enables inviting users as externals
no need to redo anything of the SSO configuration, no change for the existing users currently login in through SSO
switch from “some users” to “all users”
tbd
Renew the SSO certificate
If your current SSO configuration uses the metadata URL to obtain the certificate, you do not need to renew the certificate in the SSO configuration as long as the URL does not change and points to a valid certificate. Once the certificate at the URL is renewed, the SSO configuration automatically retrieves and recognizes it.
The certificate has a defined validity period and will expire after a certain date. To ensure uninterrupted access to the Emplifi platform, you must renew the certificate before it expires. If you do not renew the certificate, you and your users will not be able to log in to the Emplifi platform.
To find out the certificate expiration date and how many days are left before it expires, go to Settings -> Single sign on, and check your current SSO configuration.
You can renew the certificate using one of the following methods:
-
Automatic rollover
You provide a metadata URL, and the SSO configuration automatically retrieves the certificate from the URL. As long as the URL does not change and points to a valid certificate, you do not need to renew the certificate in your SSO configuration.
This is the recommended method of renewing the certificate. It minimizes manual intervention and reduces the risk of service disruption. -
Manual rollover
You create a pending SSO configuration with a new certificate and then activate it while the current certificate is still valid.
A drawback of the manual rollover is that you will have to renew the certificate in the SSO configuration again when the certificate’s expiration date gets closer. If you do not renew the certificate before it expires, you and your users will not be able to log in to the Emplifi platform. Therefore, we recommend that you choose the automatic rollover whenever possible.
We recommend that you involve the help of your IT department in advance of the certificate expiration date to obtain the new certificate or updated metadata URL.
Automatic rollover
The automatic rollover is the recommended method of renewing the certificate.
Manual rollover
Manage users
Each user is recognized by an Identifier (nameId), which must be the company email (email set on the IdP side).
Ensure that all users have the correct Identifier filled in the Emplifi account so they are recognized when attempting to log in via the SSO provider. Otherwise, their access will be denied.
If a user has access on the SSO IdP side but doesn’t have the access set up in the Emplifi account, the verification/authentication will fail.
Add non-SSO users to your Emplifi account with SSO “Activate for all”
You can allow external users (users outside your SSO organization) to be added to your Emplifi account.
You have probably set up your Emplifi account as strictly SSO account and only users using your organization's SSO can be added and logged in.
However, you can also enable access for users outside your organization.
-
Click the Summary tab and select Activate SSO for some users.
With this new setup, all users that were already migrated to use SSO login to the Emplifi account will continue using their SSO login, but you will be able to add new users who will set up their email password to log in.
-
Invite a user. In the Invite new user dialog window, de-select the checkbox User will use single sign on to login.
Add non-SSO users to your Emplifi account with SSO “Activate for some”
Invite a user. In the Invite new user dialog window, de-select the checkbox User will use single sign on to login.
Switch an SSO user to non-SSO
You can switch an SSO user to a non-SSO user in the User detail section but ONLY before the user logs in with their SSO.
Switch a non-SSO user to SSO
You can switch a non-SSO user to a SSO user in the User detail section
back to non-SSO - only through Support
Deprovision a user
Deprovisioning a user on the IdP side is immediate and will prevent the user from logging in to the Emplifi account. However, they will still be listed as a user in the Emplifi account until manually removed by the admin.
Removing user from the Emplifi account does not remove the SSO login from them - if you add them again, they will still have SSO assigned
Deactivate SSO in the Emplifi account
Contact Emplifi Support.
What’s happening after disabling SSO: the users would receive an email about resetting their password once SSO is deactivated. Also their old passwords should work as well.
you'll have the option of activating again for the next 30-60 days before the pending config gets deleted.
https://techbakers.slack.com/archives/CDSPT05PT/p1758643875925779