Single Sign-On Overview
Single Sign-On (SSO) enables users to sign into the Claravine platform using their organization-managed credentials, instead of managing a different login specific to Claravine. In practice, this changes the Claravine login page to have users log in at your company’s login page like the example below.
SSO is an enterprise feature that greatly increases overall security by managing their organization’s users in one place. For example, if a user leaves an organization, their Claravine access will automatically be turned off when the IT group disables their company account. SSO also reduces overall data security risk to Claravine Admins, because they no longer control who has and doesn’t have access to the application.
SSO is available based on a customer's subscription tier. Please reach out to your CSM and/or Account Executive for more details.
SSO Implementation Types
Claravine offers flexible SSO integration types to match the needs of each organization:
SSO authentication and authorization
Customer's Security/IT Team manages users (internal and external) by adding attributes to the user in the organization's Identity Provider. These attributes will specify what kind of access the user should have in Claravine: no access, user access, manager access, or admin access.
- Group access and Permissions are assigned in Claravine. (SSO determines access and role)
- Non-employees/third-party agencies are added to the Customer's directory—either by giving outside agencies organization-specific accounts or by specifying attributes on outside account email addresses
SSO authentication only
Customer's Security/IT Team manages users (internal and external) by adding attributes to the user in the organization's Identity Provider. These attributes will specify what kind of access the user should have in Claravine: no access, access.
- User type, Group access, and Permissions are managed by admins in Claravine. (SSO determines access only)
- Non-employees/third-party agencies are added to the Customer's directory —either by giving outside agencies organization-specific accounts or by specifying attributes on outside account email addresses
SSO authentication in addition to Claravine authentication
Customer's Security/IT Team manages internal users only, and admins manage external users in Claravine.
- User type, Group access, and Permissions are managed by admins in Claravine. (SSO determines internal access only)
- Non-employees/third-party agencies are added directly in the Claravine platform and are not managed by the Customer's Security/IT Team.
- Reminder: Open a Claravine Support ticket when a non-SSO users leaves the agency/third-party and their access should be disabled.
Next Steps
-
Customer: Share this support article with your Security/IT team and determine the desired SSO implementation type. Provide the following information to your Customer Success Manager, they will loop in the Claravine Support team:
- Identify the SSO type
- Required go-live date
- Name and email address of any Security/IT/SSO team member to be involved in this project
- PNG logo to be used on the SSO login page (approx. 200x200)
- SSO provider (SAML or OPIDC)
-
Claravine: Claravine Support will provide the staging account ACS URL and Entity ID.
-
Customer: Using the ACS URL and Entity ID, return the staging Metadata XML file and Certificate in PEM or CER format for the staging account. Begin communications to all users to know you are changing the login procedure.
-
Customer and Claravine: Work closely to test the staging SSO configuration. Once confirmed all 3 user roles are working as expected, Claravine Support will provide the production account ACS URL and Entity ID.
- Customer and Claravine: On the go-live date, test all 3 user roles to confirm they can login.
Important Reminders
- Remember to communicate to all users of the upcoming change.
- Claravine Support will provide detailed instructions as we progress through the project.
- We require all steps to be completed no less than 24 hours prior to the requested go-live date. Without these steps being completed, we will not enable SSO.
Technical Architecture
Claravine partners with highly credentialed Auth0 for utmost security and flexibility.
Source https://auth0.com/security/
Auth0 interfaces directly with an SSO organization’s identity provider through one of many available SSO interfaces (e.g., SAML 2, Active Directory, ADFS, etc.), then Claravine connects to Auth0 through OAuth 2 Code Flow.
The diagram below illustrates an example of service provider-initiated login using SAML.
Frequently Asked Questions
What types of SSO providers does Claravine support?
Claravine has been able to support every enterprise identity provider requested, but feel free to send your identity provider to your CSM to confirm compatibility.
How do I transition Claravine users to SSO users without users losing access to their groups, templates, etc?
SSO users are matched to Claravine users by email address to ensure Claravine assets are unchanged. If for some reason the SSO email will be different form the Claravine email, then Claravine can manually match the two email addresses together to ensure no productivity is lost.
How will I add users from my Claravine account?
Provide the user with the company-specific Claravine URL.
- SSO authentication and authorization: User access will be managed through your IT organization, which has flexibility depending on your specific setup. For example, you may opt to allow any user in your organization access Claravine, or you may want to limit access to a specific department or list of users you provide to your organization’s IT group.
- SSO authentication only: User access will be managed within Claravine. After the user has logged in successfully, an Administrator will assign the group and permissions in Claravine by going to Admin>Users.
If you are loading a large number of users, communicate with your CSM for Claravine support.
How will I change users’ roles when that feature is managed outside Claravine?
Changing a user’s role also varies depending on your specific setup. If authorization is managed through your organization’s IT group, then you’ll need to work with them to change user roles. Once the user logs in the next time, their role will be updated. If your organization only managed authentication, then you’ll be able to change user roles directly in Claravine.
My IT organization added new users or changed a user’s role, but I don’t see that reflected in Claravine—what’s going on?
Changes made by your IT organization are only reflected in Claravine when that user attempts to log in. For example, when your organization’s IT changes a user to a Claravine Admin, you won’t see that user as an Admin in Claravine until that user logs into Claravine again.
A user no longer works for my organization, what do I need to know about their access to the Claravine platform?
The Security/IT/SSO team should remove the users' access to Claravine. After that is completed, the user no longer has access to Claravine. The user's submission data is not deleted or removed, it remains accessible to all Group users.
A non-employee user is no longer an employee at the agency, how do I remove their access?
We strongly recommend disabling the user by emailing the Claravine Support team. Please read our Delete vs. Disable support article.
What attributes are necessary to create an account?
Email address, first name, and last name.
How do I log out? Is there a log-out button?
Since being logged in is controlled via your SSO provider, there isn't a way from within Claravine to log out. To end your session, just close the Claravine window(s) on your browser.
If you should need to log in with a different user account then you'd need to use a different browser or log in via an incognito mode window.
How are user roles and permissions provisioned?
Claravine uses Just In Time Provisioning and we do not support IDP initiated SSO. JIT Provisioning means new users are added at the time of login and other updates (email, permission, roles) will be updated upon their next login.
What's next: Read the How Do I Manage Users with SSO Knowledge Base article for more information.
Comments
0 comments
Article is closed for comments.