Single Sign-on (SSO)

The single sign-on (SSO) authentication is an efficient login process in which users can log in to several applications with a single set of credentials. SSO is useful for organizations that use multiple applications, either daily or occasionally.

SSO allows organizations to:

  • Control the strength of their employees’ passwords.

  • Eliminate the need for the employees to remember multiple sets of usernames and passwords.

  • Minimize the possibility of a security breach.

  • Off-board employees easily.

Emplifi uses the XML-based Security Assertion Markup Language (SAML) protocol for SSO. The Emplifi SSO authenticator works with all identity providers (IdP) that support the SAML 2.0 protocol, including Okta, OneLogin, Google, Microsoft Entra ID (formerly Azure Active Directory), Shibboleth, and many others.

You must be an account admin OR permission “Manage Single sign-on” on Global in Account Roles TBD

Set up SSO in your Emplifi account

To set up SSO, you must be an Account Admin (see Account Roles).

Setting up SSO is a complex technical task. We recommend that you involve the help of your IT department or your identity provider (IdP) administrator in the process.

 Steps:

  1. Go to Settings -> Single sign-on.

  2. Click Setup SSO.
    The SSO configuration panel slides out.

  3. Choose your SSO provider.

    • If you use Microsoft Entra ID (formerly Azure Active Directory), OneLogin, or Okta, click the corresponding icon.

      Select_predefined_provider.png
    • If you use a different SSO provider (it must use the SAML 2.0 protocol to be compatible with the Emplifi SSO integration), click Other, and enter your provider's name.

      Select_other_provider.png
  4. Enter your domain name.
    The domain name will be used to construct the login domain URL, which is a unique URL address that your users will use to log in to the Emplifi account.
    For example, if you enter the domain name acme-org, the login domain URL will be acme-org.account.emplifi.io.

    Login_domain.png
  5. Click Next.
    You are asked to configure your SSO provider.
    You will have to switch to your SSO provider and perform some actions there, and then switch back to your Emplifi account.

  6. Depending on what SSO provider you chose at Step 3, choose one of the following options:

  7. Once you have configured your SSO provider and got the metadata (the URL to the metadata or the metadata file), enter the metadata details.
    info For easier configuration, we recommend that you use the metadata URL whenever possible. Using the metadata URL makes it easier - you don’t need to renew the cert- see “renewal” further down TBD

    • If you got the URL to the metadata, choose Metadata’s URL and paste the URL.

      Metadata_format_URL.png
    • If you got the metadata file, click Manual configuration, and enter the login URL and certificate as they are specified in the metadata file. Optionally, you can also enter the logout URL.

      Metadata_format_manual.png
  8. Click Next.
    You are asked to finalize the SSO configuration.

    SSO_summary_options.png
  9. Review the description of the available options further in this article, choose the option that fits your business needs, and proceed as described in the section of the article about the option that you chose:

    • Save & activate later

    • Activate SSO for all users

    • Activate SSO for some users

Save & activate later

This option saves the SSO configuration, but SSO will not be activated yet.

You can activate SSO at a later date from the saved configuration. You can edit the SSO configuration before activating SSO, or you can delete it and start over.

The saved SSO configuration will be kept pending for the next 60 days. If you do not activate the SSO within 60 days, the SSO configuration will be deleted, and the domain will be released. If you still want to set up SSO, you will have to start the process from the beginning.

Steps:

  1. Click Save & activate later, and click Finish.

    Save_activate_later.png

    The popup dialog opens asking whether you would like to test the SSO configuration before saving it.
    For information about what is going to be tested, see TBD.

  2. Do one of the following:

    • If you do not want to test the SSO configuration before saving it, click Skip test and save.
      The SSO configuration is saved.

    • If you want to test the SSO configuration before saving it:

      1. Click Run test.
        A new browser window opens, and you are asked to log in to your SSO provider.

      2. Log in to your SSO provider using the same email address that you use to log in to the Emplifi account.
        Once you have successfully logged in, the login window closes, and the SSO configuration is tested and saved.
        The confirmation dialog opens.

      3. Click I understand to close the confirmation dialog.

The saved SSO configuration will be kept pending for the next 60 days. To edit the saved SSO configuration, see TBD. To activate the saved SSO configuration, see TBD.

Saved_SSO_configuration.png

Activate SSO for all users

This option activates SSO in the Emplifi account, and all users are switched to using SSO to log in to the Emplifi account. No user in the Emplifi account will be able to use their own credentials to log in, and you will not be able to add users to the Emplifi account outside your SSO provider.

To be able to add a user outside your SSO provider, you have to change the SSO configuration from applying to all users to applying to some users only (see TBD).

Steps:

  1. Click Activate SSO for all users, and click Finish.

    Activate_for_all.png

    The popup dialog opens prompting you to test the SSO configuration before activating SSO.
    For information about what is going to be tested, see TBD.

  2. Select all the checkboxes to confirm that you have read and understood the statements, and click Run test.

    Test_SSO_all_users.png

    A new browser window opens, and you are asked to log in to your SSO provider.

  3. Log in to your SSO provider using the same email address that you use to log in to the Emplifi account.
    Once you have successfully logged in, SSO gets activated in your account.
    The login window closes, and the dialog opens confirming that SSO has been activated.

    SSO_activated_for_all_confirmation.png
  4. If you want to notify all the users in the Emplifi account that they now have to use their SSO credentials to log in, select the checkbox Send login information to all users.

  5. Click Finish to close the confirmation dialog.

All users in the Emplifi account are now switched to using SSO to log in to the Emplifi account. If you selected to notify all the users in the Emplifi account about the SSO activation, each user has received an email with SSO login information.

SSO_activated_for_all.png

Activate SSO for some users

This option activates SSO for some users in the Emplifi account and allows the other users to continue using their current credentials to log in. You will be able to add users to the Emplifi account outside your SSO provider.

Steps:

  1. Click Activate SSO for some users, and click Finish.

    Activate_for_some.png

    You are asked whether you want to exclude some users from switching to SSO.

  2. Do one of the following:

    • If you want to exclude some users from switching to SSO, select the users whom you would like to exclude, and click Exclude users.

      Exclude_users_skip.png

      The popup dialog opens prompting you to test the SSO configuration before activating SSO.
      For information about what is going to be tested, see TBD.

    • If you do not want to exclude any user from switching to SSO, click Skip.

      Exclude_users_skip.png

      The popup dialog opens prompting you to test the SSO configuration before activating SSO.
      For information about what is going to be tested, see TBD.

  3. Select all the checkboxes to confirm that you have read and understood the statements, and click Run test.

    Test_SSO_some_users.png

    A new browser window opens, and you are asked to log in to your SSO provider.

  4. Log in to your SSO provider using the same email address that you use to log in to the Emplifi account.
    Once you have successfully logged in, SSO gets activated in your account.
    The login window closes, and the dialog opens confirming that SSO has been activated.

    SSO_activated_for_some_confirmation.png
  5. If you want to notify the users who were switched to using SSO in the Emplifi account that they now have to use their SSO credentials to log in, select the checkbox Send login information to SSO users.

  6. Click Finish to close the confirmation dialog.

All users in the Emplifi account except for those whom you have excluded are now switched to using SSO to log in to the Emplifi account. If you selected to notify the users in the Emplifi account who were switched to using SSO about the SSO activation, each user has received an email with SSO login information.

SSO_activated_for_some.png

Testing the SSO configuration before saving it or activating SSO

Testing the SSO configuration consists of the following steps:

  1. Checking for potential user conflicts
    If you have several Emplifi accounts and some users are in more than one of them, you have to delete these users from the account where you want to activate SSO. You can do it yourself or contact Emplifi Support.

  2. Confirming that all users use the same email to log in to your SSO provider and the Emplifi account

  3. Confirming that you provided metadata details for your SSO provider in the SSO configuration

  4. Checking the connection to your SSO provider
    You must log in to the Emplifi account with the same email address that you use to log in to your SSO provider.

Session duration

The SSO session timeout is seven days since the last activity (every time a user performs an action in the Emplifi account, their session timeout is reset to seven days).

The SSO provider can still log the user out at different time intervals based on its own rules and practices.

Log in to the Emplifi account with activated SSO

  • If you are used to logging in through the Emplifi login page, do not forget to switch to the SSO login next time when you want to log in.

    Log_in_with_SSO.png
    Log_in_provide_domain.png
  • The user can log in via companyname.app.emplifi.io and will be redirected to the external SSO provider login page for authentication (for example, companyname.onelogin.com/login).
    If the user is set up properly in both the SSO provider and Emplifi account, they will be redirected to the Emplifi account and will be able to log in successfully.
    The domain name will be used to construct the login domain URL, which is a unique URL address that your users will use to log in to the Emplifi account.
    For example, if you enter the domain name acme-org, the login domain URL will be acme-org.account.emplifi.io.

Log out of the Emplifi account with activated SSO

To log out of the Emplifi account, click your name in the bottom left, and then click the logout icon.

Log_out.png

Edit and maintain the SSO configuration

To edit an existing SSO configuration (or a pending configuration):

  1. Go to Settings.

  2. Click Single sign-on.

  3. Click Edit.

image-20230225-214246.png

once you make a change, a draft is automatically created. it creates a draft of the current implementation.

you can either then activate SSO from the draft (and it will replace the current setup and become the main and only SSO setup) or you can delete the draft.

switch from “all users” to “some users”

this just enables inviting users as externals

no need to redo anything of the SSO configuration, no change for the existing users currently login in through SSO

Switch_SSO_from_all_to_some.png

switch from “some users” to “all users”

tbd

Switch_SSO_from_some_to_all.png

Renew the SSO certificate

If your current SSO configuration uses the metadata URL to obtain the certificate, you do not need to renew the certificate in the SSO configuration as long as the URL does not change and points to a valid certificate. Once the certificate at the URL is renewed, the SSO configuration automatically retrieves and recognizes it.

The certificate has a defined validity period and will expire after a certain date. To ensure uninterrupted access to the Emplifi platform, you must renew the certificate before it expires. If you do not renew the certificate, you and your users will not be able to log in to the Emplifi platform.

To find out the certificate expiration date and how many days are left before it expires, go to Settings -> Single sign on, and check your current SSO configuration.

Certificate_due_date_days_left.png

You can renew the certificate using one of the following methods:

  • Automatic rollover
    You provide a metadata URL, and the SSO configuration automatically retrieves the certificate from the URL. As long as the URL does not change and points to a valid certificate, you do not need to renew the certificate in your SSO configuration.
    check mark This is the recommended method of renewing the certificate. It minimizes manual intervention and reduces the risk of service disruption.

  • Manual rollover
    You create a pending SSO configuration with a new certificate and then activate it while the current certificate is still valid.
    warning A drawback of the manual rollover is that you will have to renew the certificate in the SSO configuration again when the certificate’s expiration date gets closer. If you do not renew the certificate before it expires, you and your users will not be able to log in to the Emplifi platform. Therefore, we recommend that you choose the automatic rollover whenever possible.

We recommend that you involve the help of your IT department in advance of the certificate expiration date to obtain the new certificate or updated metadata URL.

Automatic rollover

The automatic rollover is the recommended method of renewing the certificate.

Click to expand

When you choose the automatic rollover, you provide the metadata URL in the SSO configuration. The metadata URL has to point to a certificate that either is already valid or will become valid at a later date but before the current certificate expires. When the current certificate expires, the SSO configuration will automatically retrieve and recognize the new certificate from the metadata URL.

As long as the metadata URL does not change and points to a valid certificate, you do not need to renew the certificate in the SSO configuration.

Steps:

  1. Obtain the metadata URL. Typically, you can get it from your IT department or directly from your SSO provider.
    warning Make sure that the URL points to a certificate that either is already valid or will become valid at a later date but before the current certificate expires.

  2. Go to Settings -> Single sign on.
    Your current SSO configuration is displayed.

  3. Click Edit on the SSO configuration.
    The SSO configuration panel slides out.

  4. Click Next.
    The Connection screen opens with your SSO provider configuration.

  5. Scroll down to the Identity Provider (IdP) Configuration section.

  6. Select Metadata’s URL, and paste the URL that you obtained at Step 1 into the Metadata’s URL field.

    Metadata_format_URL.png
  7. Click Next.
    You are asked to finalize the SSO configuration.

  8. Depending on how your SSO is configured, select either Activate SSO for all users or Activate SSO for some users, and click Finish.

    Cert_renewal_auto_summary_options.png

    The popup dialog opens prompting you to test the SSO configuration before activating it with the new metadata URL.

  9. Select all the checkboxes to confirm that you have read and understood the statements, and click Run test.

    Test_SSO_all_users.png

    A new browser window opens, and you are asked to log in to your SSO provider.

  10. Log in to your SSO provider using the same email address that you use to log in to the Emplifi account.
    Once you have successfully logged in, the login window closes, and the SSO configuration with the new metadata URL is tested, saved, and activated.
    The confirmation dialog opens.

    Cert_renewal_auto_SSO_activated_for_all_confirmation.png
  11. Click Finish to close the confirmation dialog.

Your SSO configuration is now activated with the metadata URL that points to a new certificate, but it will still be using the current certificate until it expires. When it happens, the SSO configuration will automatically retrieve and recognize the new certificate from the metadata URL.

You do not need to renew the certificate in the SSO configuration again unless the URL changes or the certificate that it points to expires or gets invalidated.

Manual rollover

Click to expand

When you choose the manual rollover, you create a pending SSO configuration with a new certificate next to your current SSO configuration. The new certificate has to either be already valid or become valid within 60 days but before the current certificate expires. The new certificate will be stored but will not yet replace the current one.

Then, you will have to activate the pending SSO configuration some time during the period when both current and new certificates are valid (that is, the current certificate is still valid and the new certificate is already valid). The pending SSO configuration with the new certificate will become active, replacing the current SSO configuration. The new certificate will replace the current - expiring - one.

A drawback of the manual rollover is that you will have to renew the certificate in the SSO configuration again when the certificate’s expiration date gets closer. If you do not renew the certificate before it expires, you and your users will not be able to log in to the Emplifi platform. Therefore, we recommend that you choose the automatic rollover whenever possible.

Steps:

  1. Obtain the new certificate. Typically, you can get it from your IT department or directly from your SSO provider.
    warning Make sure that the certificate either is already valid or will become valid within 60 days but before the current certificate expires.

  2. Go to Settings -> Single sign on.
    Your current SSO configuration is displayed.

  3. Click Edit on the SSO configuration.
    The SSO configuration panel slides out.

  4. Click Next.
    The Connection screen opens with your SSO provider configuration.

  5. Scroll down to the Identity Provider (IdP) Configuration section.

  6. Select Manual configuration, and paste the new certificate into the Identity Provider Certificate field.

    Cert_renewal_manual.png
  7. Click Next.
    You are asked to finalize the SSO configuration.

  8. Select Save & activate later, and click Finish.

    Save_activate_later.png

    The popup dialog opens prompting you to test the SSO configuration before saving it with the new certificate.

  9. Click Run test.

    Test_SSO_Save_activate_later.png

    A new browser window opens, and you are asked to log in to your SSO provider.

  10. Log in to your SSO provider using the same email address that you use to log in to the Emplifi account.
    Once you have successfully logged in, the login window closes, and the SSO configuration with the new certificate is tested and saved as a pending SSO configuration.
    The confirmation dialog opens.

    SSO_saved_for_later.png
  11. Click I understand to close the confirmation dialog.
    The pending SSO configuration with the new certificate is displayed next to your current SSO configuration.

    Pending_SSO_configuration_new_certificate.png

You now have the current - active - SSO configuration with the current certificate (that is still valid but will expire soon) and the pending SSO configuration with the new certificate (that either is already valid or will become valid within 60 days but before the current certificate expires).

Next step: Activate the pending SSO configuration
The pending SSO configuration will be kept for the next 60 days. You have to activate the pending SSO configuration some time during the period when both the current and the new certificates are valid (that is, the current certificate is still valid and the new certificate is already valid). The pending SSO configuration with the new certificate will become active, replacing the current SSO configuration. The new certificate will replace the current - expiring - one. This ensures continuity of authentication on the Emplifi platform.

If you do not activate the pending SSO configuration within the 60 days, it will be deleted together with the new certificate. If you do not create a new pending SSO configuration with the new certification before the current certificate expires, you and your users will not be able to log in to the Emplifi platform, and you will need to contact Emplifi Support to restore the access.

Steps:

  1. Go to Settings -> Single sign on.
    Your current SSO configuration and the pending SSO configuration with the new certificate are displayed.

    Active_and_pending_SSO.png
  2. Click Edit on the pending SSO configuration.
    The SSO configuration panel slides out.

  3. Click Next.
    The Connection screen opens with your SSO provider configuration.

  4. Click Next.
    You are asked to finalize the SSO configuration.

  5. Depending on how your SSO is configured, select either Activate SSO for all users or Activate SSO for some users, and click Finish.

    Cert_renewal_auto_summary_options.png

    The popup dialog opens prompting you to test the SSO configuration before activating it.

  6. Select all the checkboxes to confirm that you have read and understood the statements, and click Run test.

    Test_SSO_all_users.png

    A new browser window opens, and you are asked to log in to your SSO provider.

  7. Log in to your SSO provider using the same email address that you use to log in to the Emplifi account.
    Once you have successfully logged in, the login window closes, and the pending SSO configuration with the new certificate is tested, saved, and activated, replacing the current SSO configuration. The new certificate replaces the current - expiring - one.
    The confirmation dialog opens.

    Cert_renewal_auto_SSO_activated_for_all_confirmation.png
  8. Click Finish to close the confirmation dialog.
    Only one - active - SSO configuration with the new certificate is displayed.

    New_active_SSO_new_certificate.png
  9. Note the expiration date of the new certificate to make sure you renew it close to the date.

Manage users

Each user is recognized by an Identifier (nameId), which must be the company email (email set on the IdP side).

Ensure that all users have the correct Identifier filled in the Emplifi account so they are recognized when attempting to log in via the SSO provider. Otherwise, their access will be denied.

If a user has access on the SSO IdP side but doesn’t have the access set up in the Emplifi account, the verification/authentication will fail. 

Add non-SSO users to your Emplifi account with SSO “Activate for all”

You can allow external users (users outside your SSO organization) to be added to your Emplifi account.

You have probably set up your Emplifi account as strictly SSO account and only users using your organization's SSO can be added and logged in.

However, you can also enable access for users outside your organization.

  1. Click the Summary tab and select Activate SSO for some users.

With this new setup, all users that were already migrated to use SSO login to the Emplifi account will continue using their SSO login, but you will be able to add new users who will set up their email password to log in.

Switch_SSO_from_all_to_some.png
  1. Invite a user. In the Invite new user dialog window, de-select the checkbox User will use single sign on to login.

    Invite_new_user.png

Add non-SSO users to your Emplifi account with SSO “Activate for some”

Invite a user. In the Invite new user dialog window, de-select the checkbox User will use single sign on to login.

Invite_new_user.png

Switch an SSO user to non-SSO

You can switch an SSO user to a non-SSO user in the User detail section but ONLY before the user logs in with their SSO.

Switch_to_login.png

Switch a non-SSO user to SSO

You can switch a non-SSO user to a SSO user in the User detail section

back to non-SSO - only through Support

Switch_to_SSO.png

Deprovision a user

Deprovisioning a user on the IdP side is immediate and will prevent the user from logging in to the Emplifi account. However, they will still be listed as a user in the Emplifi account until manually removed by the admin.

Removing user from the Emplifi account does not remove the SSO login from them - if you add them again, they will still have SSO assigned

Deactivate SSO in the Emplifi account

Contact Emplifi Support.

What’s happening after disabling SSO: the users would receive an email about resetting their password once SSO is deactivated. Also their old passwords should work as well.

you'll have the option of activating again for the next 30-60 days before the pending config gets deleted.

https://techbakers.slack.com/archives/CDSPT05PT/p1758643875925779